Jump to content


No Net Access, No NAV, No Spyware?


  • Please log in to reply
10 replies to this topic

#1 Guest_Devil Duckie_*

Guest_Devil Duckie_*
  • Guests

Posted 04 June 2004 - 05:26 PM

My boss' kids' got some nasty stuff on their computer. I ran Ad-Aware, Spybot S&D and Norton (with REALLY old virus defs because I can't get Live Update to work). Found a bunch of stuff and cleaned it up. NAV, Ad-Aware, S S&D all show nothing now. Still can't access the internet. Still can't copy/paste files. Still can't access the taskbar. Sound is dead.

I had to handwrite the Hijack This log so I could get it home to a computer that actually works...here's what HJT shows:

Logfile of Hijack This v1.97.7
Scan saved at 2:52:14PM, on 6/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v 6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\symantec shared\ccApp.exe
C:\Program Files\Common Files\symantec shared\ccRegVfy.exe
C:\documents and settings\sara\local settings\temp\SL.exe
C:\documents and settings\sara\local settings\temp\SL.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 10 for Hijackthis.zip\HijackThis.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Common~1\Symant~1\Script~1\SBServ.exe
C:\WINNT\wanmpsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main, Start Page - http://www.wrk.com/
02 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} C:\Program Files\Microsoft Money\System\mnyside.dll
02 - BHO: (no name) - {28688B51-5177-446B-A9FA-8D617A212BAA} - C:\WINNT\maxvn.dll (disabled BHODemon)
02 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
02 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Anti Virus\NavshExt.dll
03 - Toolbar:Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program FIles Norton AntiVirus\NavshExt.dll
03 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
04-HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.exe
04-HKLM\..\Run:[NvCplDaemon] RUNDLL32.EXE NvQTwk, NvCplDaemon initialize
04-HKLM\..\Run:[GWMDMMSG] GWMDMMSG.EXE
04-HKLM\..\Run:[Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue: "Keyboard Preload Check"
04-HKLM\..\Run:[GWMDMpi] C:\WINNT\GWMDMpi.exe
04-HKLM\..\Run:[AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
04-HKLM\..\Run:[EPSON Stylus C42 Series] C:\WINNT\System 32\spool\DRIVERS\W32X86\3\E_S10IC1.exe /P23 "Epson Stylus C42 Series" /06 "USB001" /M "Stylus C42"
04-HKLM\..\Run:[QUICK TIME TASK] "C:\Program Files\Quicktime\qttask.exe -atbootime
04-HKLM\..\Run:[TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
04-HKLM\..\Run:[ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
04-HKLM\..\Run:[ccRegvfy] "C:\Program Files\Common Files\Symantec Shared\ccRegvfy.exe"
04-HKLM\..\Run:[Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
04-HKLM\..\Run:[GNTDKQX] C:\WINNT\GNTDKQX.exe
04-HKLM\..\Run:[enol] C:\WINNT\enol.exe
04-HKLM\..\Run:[SL] C:\documents and settings\sara\local settings\temp\SL.exe
04-HKLM\..\Run:[MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
04-HKLM\..\Run:[AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
04-HKLM\..\Run:[PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
04-HKLM\..\Run:[Ltho] C:\Documents and Settings\Owner\Application Data\ootr.exe
04-HKLM\..\Run:[WNSI] C:\WINNT\System32\wnscpcc.exe
04-HKLM\..\Run:[ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

08 - Extra context menu item: Limeshop preferences - file://c:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

09 - Extra Button: AIM (HKLM)
09 - Extra Button: Real.com (HKLM)
09 - Extra Button - MoneySide (HKLM)

012 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
016 - DPF: {0ZBF25D5-8C17-4B23-BC80-D3488ABDOC6B} (Quick Time Object) - http://www.apple.com...ex/qtplugin.cab
016-DPF: {33564D57-000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9vcm.cab
016-DPF: {CC05BC12-2AA20-4AC7-AC81-0E40F83B1ADF} (Live365 Player Class) - http://www.live365.c...ers/play365.cab
016-DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash object) - http://download.macr...ash/swflash.cab

Thanks so much for your help!

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 04 June 2004 - 07:14 PM

Hi,

I had to handwrite the Hijack This log

Now that's dedication! :rofl:

Important! Create a folder via Windows Explorer for HijackThis, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Run BHODemon and undo the below:
02 - BHO: (no name) - {28688B51-5177-446B-A9FA-8D617A212BAA} - C:\WINNT\maxvn.dll (disabled BHODemon)

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

02 - BHO: (no name) - {28688B51-5177-446B-A9FA-8D617A212BAA} - C:\WINNT\maxvn.dll
04-HKLM\..\Run:[GNTDKQX] C:\WINNT\GNTDKQX.exe
04-HKLM\..\Run:[enol] C:\WINNT\enol.exe

04-HKLM\..\Run:[SL] C:\documents and settings\sara\local settings\temp\SL.exe

Note: not exactly sure what "SL.exe" is but it shouldn't be running from there!

04-HKLM\..\Run:[Ltho] C:\Documents and Settings\Owner\Application Data\ootr.exe
04-HKLM\..\Run:[WNSI] C:\WINNT\System32\wnscpcc.exe
04-HKLM\..\Run:[ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
08 - Extra context menu item: Limeshop preferences - file://c:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
016-DPF: {CC05BC12-2AA20-4AC7-AC81-0E40F83B1ADF} (Live365 Player Class) - http://www.live365.c...ers/play365.cab


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Open Windows Explorer locate and delete the following:

C:\WINNT\maxvn.dll <--this file
C:\WINNT\GNTDKQX.exe <--this file
C:\WINNT\enol.exe <--this file
C:\Documents and Settings\Owner\Application Data\ootr.exe <--this file
C:\Program Files\LimeShop <--this folder
C:\PROGRAM FILES\ClockSync <--this folder

Restart normally and then ...

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh log ...
And of course see if you can get online ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 Guest_Devil Duckie_*

Guest_Devil Duckie_*
  • Guests

Posted 04 June 2004 - 07:25 PM

I won't be able to get back to his house until Monday... but at least now I'll have something to reference. (And can you really consider it dedication if he pays me my hourly wage PLUS a little extra for the on-site tech support? *grin*)

Thanks so much!

#4 Guest_Devil Duckie_*

Guest_Devil Duckie_*
  • Guests

Posted 07 June 2004 - 02:17 PM

OK. Still no happy. I got rid of everything per WinHelp2002's advice and a little something called "pcsvc.exe" which someone else told me was bad. Ad-Aware, Spybot and HijackThis aren't showing anything out of the norm. Norton is still down, IE won't work AND anytime I touch a file on the desktop, the computer freezes.

Here's the latest HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 2:52:13 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\PROGRA~1\AIM95\aim.exe
C:\WINNT\system32\notepad.exe
C:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrk.com/
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#5 Guest_Devil Duckie_*

Guest_Devil Duckie_*
  • Guests

Posted 07 June 2004 - 03:16 PM

is it possible there's some kind of virus/trojan? Norton's completely gone. Like uninstalled gone and I can't seem to reinstall it. XP keeps throwing up an error message about a corrupt installer and I can't get on the internet to run an online scanner like panda or avg.

I did manage to run the Blaster fix tool from Symantec just in case (symptoms looked kind of similar) but that found nothing. I'm also going to run Sasser, Mydoom, and Beagle. If those don't work, what's my option?

The boss wants me to take windows off and reinstall it, but I'm a mac gal myself and reinstalling windows gives me the woozies. Besides, even if I reinstall, aren't the odds good the *whatever* will still be there?

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 07 June 2004 - 04:01 PM

Hi,
Your log looks clean now ...

If things worked in Safe Mode, deleting files, etc. then it sounds like a bad or corrupt video driver, if you get a "screen freeze" (no mouse or keyboard) in regular mode.

Try reducing the Hardware Accelerator 2 notches (reboot required)
Display Properties | Settings | Advanced
[or]
Use the System File Checker tool to scan all of the protected files on your computer:
Click Start, and then click Run.
In the Open box, type "sfc /scannow" (no quotes), and then click OK.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 Guest_Devil Duckie_*

Guest_Devil Duckie_*
  • Guests

Posted 07 June 2004 - 07:45 PM

Safe Mode didn't do much for me. Still had a heck of a time pulling off the hijack this log - at least I didn't have to handwrite it. We ended up pulling the plug and taking it to a repair shop. The tech was amazed by how slow it was loading and thinks there are more problems than just the 600+ pieces of spyware I pulled off.

I'd like to find the people responsible for this stuff and wring their necks. I lost almost an entire 4 days trying to figure out what was wrong and teaching myself more than I ever wanted to know about Windows in the process. *sigh* (I'm OK with Win 98. HATE XP with a passion. )

Thanks for all the help, though. If I hear what was actually at the root of the problem, I'll be in touch.

#8 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 07 June 2004 - 07:51 PM

Hi,

We ended up pulling the plug and taking it to a repair shop

Ok ... well good luck with it :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#9 Guest_Devil Duckie_*

Guest_Devil Duckie_*
  • Guests

Posted 14 June 2004 - 10:58 AM

So- we heard back from the repair shop. Most of the spyware was gone (thanks WinHelp2002!) but they had 4 viruses on there and a keystroke lifter. The registry had been damaged so badly by the viruses that a clean install didn't fix the problems. They had to go in and do a lot of fix-it-work.

It runs much better now and I've gone ahead and installed all the spyware blockers that have been recommended on this forum. I'm going to keep my fingers crossed and hope they work.

Thanks so much for your help!

#10 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 14 June 2004 - 11:44 AM

Hi,
You're welcome ... glad to see you were able to resolve your problem. :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#11 Guest_Devil Duckie_*

Guest_Devil Duckie_*
  • Guests

Posted 14 June 2004 - 11:58 AM

Yeah its fixed. I'm just bummed we had to call in the repair shop. *feh*




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button