HELP!!!!!

BigcicconeBigciccone
edited May 2007 in Spyware & Virus Removal
My computer got infected with tons of viruses and spyware at the perfect.. time becuase my antispyware and antivirus programs just expired.. i was getting continuous popups and things downloaded on the desktop by themselves i got what i could off and wen i restarted i had no desktop just a wallpaper.. i tried in safe mode and the same thing.. i can access anything on my computer by going ctrl+alt+delete and hit file run and get anything but noo desktop or start menu.. i got spyware terminator on a thumb drive loaded it on the compuiter and took off everything tha tit foundand it had a lot! trojans and all that.. i did sfc/scannow and that didnt help..nd i checked the registry for

Hkey_local_Machine\software\microsoft\windowsnt\current version\Image File execution options\explorer.exe and its not there.

i really need help!

Comments

  • NuppiNuppi South Ostrobothnia (Finland)
    edited May 2007
    Hi Bigciccone, and welcome Short-media :D

    Please, follow that link and send a fresh hijakthis log :D

    http://www.short-media.com/forum/showthread.php?t=43902
  • BigcicconeBigciccone
    edited May 2007
    Logfile of HijackThis v1.99.1
    Scan saved at 1:17:08 AM, on 5/26/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
    O2 - BHO: (no name) - {5b60996c-402c-4e25-9ead-06d329964c51} - C:\WINDOWS\system32\igfcsy.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
    O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
    O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\ssqqqq.dll",realset
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\pwintndu.exe CHD003
    O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O20 - Winlogon Notify: igfcsy - C:\WINDOWS\SYSTEM32\igfcsy.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\System32\aspimgr.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
    O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
  • NuppiNuppi South Ostrobothnia (Finland)
    edited May 2007
    Hey Bigciccone,

    First, You have two antivirus programs, Remove Via ADD/remove panel another.

    Second, Spyware Terminator is in bad antispywarelist, see
    http://www.spywarewarrior.com/rogue_anti-spyware.htm

    Remove it, so you can download betterone.

    Third, Copy follow lines to notepad


    echo off
    sc stop RpcPatch
    sc stop RpcTftpd
    sc delete RpcPatch
    sc delete RpcTftpd

    Save it to name service.bat filetype "all files" to the desktop

    double click it and if appaers any question answer yes.

    Scan hijackthis and check :

    O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
    O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
    O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\ssqqqq.dll",realset
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\pwintndu.exe CHD003
    O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
    O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
    O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)

    Close all programs and click fix checked.
    step#4
    Please download
    ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
    This program is for XP and Windows 2000 only!
    Double-click ATF Cleaner.exe to open it.
    Under Main select the following:
    * Windows Temp
    * Current User Temp
    * All Users Temp
    * Temporary Internet Files
    * Prefetch
    * Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    step#5
    Print out these instructions or save them with notepad or Word
    Please download AVG Anti-Spyware to your desktop. When ready, do following:
    • Start AVG Anti-Spyware
    • Click the Update icon
    • Click Start update
    • Wait until updates are downloaded
    • Click the Scanner icon
    • Open the Settings tab
      • If you are having problems with the updater, you can use this link to manually update
      • Make sure that under "How to act?" read Quarantine
      • (If not, click the text and choose Quarantine)
      • Under "How to scan?" all checkboxes should be ticked
      • Under "Reports" select Automatically generate report after every scan
        and uncheck Only if threats were found
      • Under "What to scan?" select Scan every file

    • Click the Shield icon
    • Under the "Resident shield is" click active to make it inactive
    • Close AVG Anti-Spyware
    Reboot to safe mode
    • If the computer is running, shut down Windows, and then turn off the power
    • Wait 30 seconds, and then turn the computer on
    • Start tapping the F8 key
    • The Windows Advanced Options Menu appears
    • Ensure that the Safe Mode option is selected
    • Press Enter. The computer then begins to start in Safe mode
    • Login on your usual account
    Open My Computer.
    Click Tools menu then click Folder Options.
    Click the View tab.
    Scroll to the ;Hidden files and folders; section and click Show hidden files and folders.;
    Uncheck the Hide protected operating system files (recommended); option. (SEE NOTE ABOVE ON THIS OPTION!) Click Yes to confirm. Then click OK.

    Remove those files if exist :

    C:\WINDOWS\System32\kernels32.exe
    C:\WINDOWS\System32\spoolsvv.exe
    C:\WINDOWS\ssqqqq.dll
    C:\WINDOWS\System32\pwintndu.exe
    C:\WINDOWS\cfg32.exe
    C:\WINDOWS\System32\wins\DLLHOST.EXE
    C:\WINDOWS\System32\wins\svchost.exe
    • Close all open windows / programs / folders
    • Start AVG Anti-Spyware
    • Click the Scanner icon
    • Click Complete System Scan
    • Let the program scan the machine
    • When the scan has finished, follow the instructions below
      • Make sure that under "Set all elements to" read Quarantine
      • (If not, click the text and choose Quarantine)
      • Click Apply all actions
      • Click Save Report
      • Click Save reports as
      • Save report to your Desktop
    step#6

    Send a fresh hijack log and AVG antispywares raport :D
  • BigcicconeBigciccone
    edited May 2007
    that didnt work.. but did find alot of crap. My impatient father couldnt wait and reformatted the computer.. Thank you for trying. i know you guys are the best have helped me out numerous times in the past
Sign In or Register to comment.