Need help going mad, tried everything...hijack included

crazant

Can't get any web pages, connect ok and checked all ok with BT, tried 2 antivirus's (got some funlove bugs) run spybot, cws and adaware, been through my hijack log and got rid of each line at a time , retried internet and then restored hijack if didn't work, it didn't. Driving me mad and i'm not confident enough to format. Please can anyone spot anything.

Logfile of HijackThis v1.97.7
Scan saved at 08:27:23, on 16/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msnms.exe
C:\WINDOWS\System32\MsConfiG.exe
C:\WINDOWS\System32\aheadchk.exe
C:\WINDOWS\System32\MSRSS.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\wincalc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\MSRSS.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVPersonal\Avwin.exe
C:\WINDOWS\System32\w32.exe
E:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Windows Manager System] aheadchk.exe
O4 - HKLM\..\Run: [MSN Updater] msnms.exe
O4 - HKLM\..\Run: [svchost32] w32.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\Run: [Microsoft Java Virtual Machine] MsConfiG.exe
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteuuk32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Calc Microsoft Windows] wincalc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Windows Manager System] aheadchk.exe
O4 - HKLM\..\RunServices: [MSN Updater] msnms.exe
O4 - HKLM\..\RunServices: [Microsoft Java Virtual Machine] MsConfiG.exe
O4 - HKLM\..\RunServices: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\RunServices: [Calc Microsoft Windows] wincalc.exe
O4 - HKLM\..\RunServices: [svchost32] w32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSN Updater] msnms.exe
O4 - HKCU\..\Run: [Windows Manager System] aheadchk.exe
O4 - HKCU\..\Run: [Microsoft Java Virtual Machine] MsConfiG.exe
O4 - HKCU\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKCU\..\Run: [svchost32] w32.exe
O4 - HKCU\..\Run: [Calc Microsoft Windows] wincalc.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\RunServices: [svchost32] w32.exe
O4 - HKLM\..\RunOnce: [MSN Updater] msnms.exe
O4 - HKLM\..\RunOnce: [Microsoft Java Virtual Machine] MsConfiG.exe
O4 - HKCU\..\RunOnce: [MSN Updater] msnms.exe
O4 - HKCU\..\RunOnce: [Microsoft Java Virtual Machine] MsConfiG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~1\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O16 - DPF: v3cab - http://searchmiracle.com/cab/8.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/AgeVerifier/ie/bridge-c24.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107472021639
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37983.1335648148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/templates/btwebcontrol012.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab

crazant

p.s. I can't get any live updates or new versions of anything cos they won't connect to the internet!!
thanks

crazant

please please could anyone point out the part which may get me browsing again, i keep reading all the help logs while at work but can't download anything..so when i get home i'm stuck cos i can't get to any web pages, i could clear up the rest after i get back online.
thanks a bundle

Buckeye_Sam

You've got a load of viruses in your log. Norton's not doing you much good. Let's see if we can get you back online first.

Download this program and run it on the infected computer.
http://www.majorgeeks.com/download4372.html



Assuming you can get online after running WinsockFix...

Please run these two online scans.
Make sure they are set to clean automatically:

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

If there are files that can not be removed by the scans please include that information in your next post.



Reboot and post a new hijackthis log.

crazant

Hi thanks for the reply, did the format last night, ran hjt straight away and only had 4 entries, but tried to install a few things , symantec antivirus etc and its running like a dog, and says " liveupdates disabled see administrater" run a hjt log again which is below is it clean cos as i say the system is running like a dog. i have managed to get back on the net but is very slow.
Cheers

Logfile of HijackThis v1.99.0
Scan saved at 12:51:11 AM, on 2/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\windowsp.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\taskrnager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\mptmfh.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
c:\program files\180solutions\sais.exe
C:\WINDOWS\System32\msconfg.exe
C:\WINDOWS\system32\rundll32.exe
D:\hjacknew\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=157882
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=157882
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=157882
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TASKMANAGE] taskrnager.exe
O4 - HKLM\..\Run: [Windows Network Controller] windowsp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [2CByMTU9] C:\WINDOWS\mptmfh.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [wbwdmh] C:\WINDOWS\wbwdmh.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [TASKMANAGE] taskrnager.exe
O4 - HKLM\..\RunServices: [Windows Network Controller] windowsp.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunOnce: [Windows Network Controller] windowsp.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\anthony\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Network Controller] windowsp.exe
O4 - HKCU\..\Run: [TASKMANAGE] taskrnager.exe
O4 - HKCU\..\RunOnce: [Windows Network Controller] windowsp.exe
O4 - Startup: delstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC7EA828-8BEC-49D3-AC06-F011BF714BFF}: NameServer = 194.72.9.38 194.74.65.68

Buckeye_Sam

If you formatted your hard drive and reinstalled you need to immediately install Windows critical updates. As you can see, it doesn't take long for you to get badly reinfected if you don't close up the holes in your system right away.


Download and run Microsoft's Antispyware.

http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en




Please run these two online scans.
Make sure they are set to clean automatically:

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

If there are files that can not be removed by the scans please include that information in your next post.



Reboot and post a new hijackthis log.