Some nasty virus resident memory! Need help!!

  Hi everyone,

I got a virus in the resident memory And all my efforts to clean it had come flat.

First, it killed my firewall (sygate firewall) and my antivirus (AVG Pro). Now, everytime I try to put a firewall or an antivirus, I got a pop up saying that It can't find the *.exe files to put the software on the computer. I was able to put escan (for virus) and trojanhunter on the computer, but not real good help.

The virus had corrupt the files wshcon.dll. That I manage to fix it (download a new one and put it back instead of the other)

I can't see anything when I open the add-remove programs in the control panel. So I can't go there to find a way to put a firewall and an antivirus that could eleminate the treat.

When I start the computer in save mode, it crash and say to check for virus.

When I start the computer (regular) 3 time, the escan program told me that a file name program could hurt the computer and ask to rename it so it is safe

Also, when I used trojanhunter, it said: c:\pagefile.sys not scanned (in use by another application)...I can't found this file.

I found that folders had been put on the computer those are: $WIN_NT$.~BT, FOUND.003 and FOUND.004.

Could someone that have a clue to correct this can give me a hand?

I thank you in advance

Prulon

Being unable to scan pagefile.sys is normal, it's your paging file and as such always in use.  You won't be able to see it unless you enable it to show hidden files and folders.
The folders there are normal - the first is a temporary folder left over from Windows installation, and the others are folders with recovered files in, usually from scandisk.
You say you can't boot into safe mode - what exactly happens when you try to?
What antivirus programs do you have on the C, and which ones work?

Can a mod please move this to viruses?
Thanks.

Blackberry: done
Cheers - Calum

Hi, everyone and thanks to answer me Blackberry.

I found that I have the mitglieder.q.

I find it with stopzilla. Problem is I can't remove it for the program is a trial and it does not remove virus with the trial.

Do you know a free program that would do the job?

the only av that would installed was escan. I tried many top av but all didn't work.

It's late so I'll go to sleep. Tomorrow, I'll try again in safe mode and write down what the message is, then I'll post it.

Thanks again

Prulon

[R.I.P.]

thanos......  Just so we know, will your pc boot up in normal mode ?
You say the trojan Killed the anti-virus ....... I suspect it just disabled it and hopefully you can restart it.

Will it start up in safe mode ?

dl65  

Hi,

Thank to post dl65...

The stopzilla free tiral 4.4 just found and block the virus, not remove it. Need the registred version for that.

I still can't start the computer in safe mode, but it start in the 'normal mode'.

The safe mode start well until I see : 'Loading SPTD.SYS'...It stay on the bottom of the screen for a couple of second then a blue sceen appear.

Here is a trancript of what it is writting on the blue screen in the safe mode:

'' ***stop:0x0000007B (0xEB41B84C, 0xC0000043, 0,00000000, 0,00000000) INACCESSIBLE_BOOT_DEVICE

Check for viruse on your computer, check you hard drive to see if it is proprely configured and terminated.

Run CHKDSK /F to check for hard drive corruption, and then restart your computer.''

I did the latter a couple of time. The hard drive have corrupt string and was repaired, but it come back.

I know that my hard drive is fine, and I know that I have the MITGLIEDER.Q. (At least, it is what stopzilla said)

Now, need to found a way to remove it.

Also if someone know a firewall and an AV that won't be 'killed' by virus or other thing, I'll appreciate your input on the best of both.

Thanks again

Prulon

[R.I.P.]

 thanos ........ ok....... you didnt really say if AVG pro will open ......
But in any event ....how about d/L hijackthis....... get  it from ....
http://www.majorgeeks.com/download3155.html  once you have it D/L ...... to your desktop , close up everything else , install and run a scan , save the log and post it here so we can see whats going on.
Use as many posts as necessary to get it all posted .


dl65  

Hello

Here is the hijackthis.log...And by the way, thanks for your fast help...

Logfile of HijackThis v1.99.1
Scan saved at 4:41:56 PM, on 2/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hldrrr.exe
C:\Program Files\GTCO CalComp\TabletWorks\TWCP.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\eScan\TRAYICOS.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globetrotter.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Toon Boom Animation\Toon Boom Studio 3.5\Resources\English.lproj\help\fullPC\wwhelp\wwhimpl\common\html\blank.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://by103fd.bay103.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=938d72bb6586a89e5f02f3daae11ebb5020085e5c909ae61b1b31c788889826e&fti=yes"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\0eufqvrq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\0eufqvrq.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [UpdService] C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [STOPzillaInstall] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\STOPzilla\SZSetup.exe product_install=STOPzillaFULL.msi sz_install=finish
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\STOPzilla.exe" /autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabletWorks.lnk = C:\Program Files\GTCO CalComp\TabletWorks\TWCP.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

Part 2 follow...

Here is part two of the hijackthis log file:

O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: BvrpKrnl - Unknown owner - C:\Program Files\WinFax eXPert\BVRPKrnl.exe
O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\RpcSandraSrv.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

Hope this help to solve the problem...You will see that I tried a lot of software to try to fix it.

Thanks again

Prulon

[R.I.P.]

 thanos.....
ok....lets see what we can do.
[highlight]C:\WINNT\system32\hldrrr.exe [/highlight]this is not good and must be removed.
Use the task manager to shut it down........  then download Prevx1 to remove it completely http://info.prevx.com/downloadremove.asp  .

Once this has been done let us know what was found and that it was removed.

dl65  

Hello,

I try Prevx1. It find malware, but didn't want to put them in the jail, so I couldn't delete them.

I try avg anti-spyware, and it found 332 files that it quarantine and delete.

But that seem not to do the thing because my pc still had problem after.

I figure that it would be because Prevx1 didn't put the malware to the jail to be delete, but hold them to do no harm. So I just uninstall Prevx1 and redo a scan with avg anti-spyware...Will see...

The avg software found those at the first scan (in the 332 files):

dropper.delf.vt
hijacker.vb.ku
worm.bagle.ht
worm.bagle.hx
worm.bagle.hw
dropper.agent.bct

Have a clue of what thoses are?

There is two other things:

When windows start, it open a window from program files\common. And in it is a file name vsovprev.ax...What's that?

Also, a pop up appear that say: winnt\csc\00000002 is corrupt and unreadable. do chkdsk /f.

I did it a couple of time (the chkdsk /f) and everytime computer reboot itself like forever then when it start windows without rebooting, the same thing appear again. (both thing above)

By the way, I tried to open in safe mode, but still boging...

Anyway...With the help I have from you and the thing I read on the net, I'm sure I'll manage to fix it...

Thanks again

Prulon

[Malware Removal Specialist]

thanos .... what dl65 says is right. That process is from the W32/Bagle-KF worm infection.

However .... you have many other problems. Your java is well out of date, you have a CWS infection and, probably most importantly, a Trojan that allows a remote intruder to gain access and control over your computer through IRC channels.

Please print this out to help you follow the advice.

This is in the log ....

O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe

We must stop & disable this added service.

1. To stop the service and set to 'disabled' .....

Go to Start > Run and type in "Services.msc" (without the quotes)  then click OK

Click the Extended tab

Scroll down until you find the service

O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe

Click once on the service to highlight it

Click Stop

Right-Click on the service

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.

***********

Download Ewido/AVG Anti Spyware from here ….

http://www.ewido.net/en/

It has a fully working 30 day trial period.

Install it and update it to the latest definitions.

Do NOT use it yet.

***********

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

***********

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

***********

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (IF it still exists) ...........

C:\WINNT\system32\hldrrr.exe

***********

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (IF they still exist; make sure you do not miss any) .........

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Toon Boom Animation\Toon Boom Studio 3.5\Resources\English.lproj\help\fullPC\wwhelp\wwhimpl\common\html\blank.htm

O4 - HKLM\..\Run: [UpdService] C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe

O23 - Service: DirectX Service (DirectXopr) - Unknown owner - c:\winnt\system32\directx.exe

Remember to close ALL open windows & browsers, including this one, then click "Fix Checked" at the foot of the HJT window.

***********

Delete the following Files indicated in BOLD IF they are still present ....

C:\WINNT\system32\hldrrr.exe

C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm

C:\Program Files\Toon Boom Animation\Toon Boom Studio 3.5\Resources\English.lproj\help\fullPC\wwhelp\wwhimpl\common\html\blank.htm

C:\Program Files\Common Files\Microsoft Shared\MSWNInfo\UpdService.exe

C:\winnt\system32\directx.exe

***********

Still in safe mode run a full system scan with AVGAS and let it fix what it wants to.

REMEMBER TO SAVE THE SCAN REPORT and also remember where you saved it.

[FOOTNOTE > this is a good program to use as an “on demand” scanner even after the trial period is over. Keep it updated and use it to scan your computer from time to time].

***********

Reboot your system in Normal Mode.

***********

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of  Java Runtime Environment (JRE) 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications"…..
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

***********

Please post the results of the AVGAS scan and a fresh HJT log.

Please also say how your computer is operating now.


OJ

[Malware Removal Specialist]

I was working on the above fix whilst you were posting your most recent comments. As you can see you have multiple problems but please proceed with the fix I posted. That should clean you up quite a bit.

We can move on from there.


OJ

[Moderator]

Nice Work, oddjob !

Hi,

And thanks OJ for your advice.

I just got a 'little' problem with what you wrote...I can't reboot in safe mode.

On the net I found this (below) for I taught I may have the Win32.Agent.zf.

It suppose to help me reboot clean...Remember that I have win2k pro pack4.

I would appreciate if you can tell me if it is a good thing to do or not.

Here here goes:

'' Manual removal:

   1. Create a c:\rescue.bat file which contains the following strings:
      @echo off
      :try
      del C:\WINDOWS\SERVICES.EXE
      if exist C:\WINDOWS\SERVICES.EXE goto try
   2. Modify the following system registry entry: from
      [HKLM\System\CurrentControlSet\Services\Eventlog]
       "ImagePath"="%SystemRoot%\system32\services.exe"
      to
       "ImagePath"="C:\rescue.bat"

      Doing this ensures that rescue.bat will be launched instead of the Event Log system servcie.
   3. Reboot the computer. The Trojan will be deleted once the system has been rebooted.
   4. Restore the original ImagePath value:
      [HKLM\System\CurrentControlSet\Services\Eventlog]
       "ImagePath"="%SystemRoot%\system32\services.exe"
   5. Delete the following keys from the system registry:

      [HKLM\Software\Microsoft\Serenta]

      [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
       "SERVICES.EXE"="%Windir%\SERVICES.EXE"
   6. Modify the following parameters:
      [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
       "Shell"="Explorer.exe %Windir%\SERVICES.EXE"
      to:
       "Shell"="Explorer.exe"
       "Userinit"="C:\WINDOWS\system32\userinit.exe,,%Windir%\SERVICES.EXE"
      to:
       "Userinit"="C:\WINDOWS\system32\userinit.exe"
   7. Update your antivirus databases and perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus). ''

I won't do nothing till I hear from you.

Prulon

Hi again,

I just post not so long ago.

A pop up always come that say that winmgmt.exe had generated an error and will be closed by windows you will need to restart the program.

No program seem to work at the time. Here the log file:

(Thu Sep 22 15:20:02 2005) : core was asked if ok to unload and returned 0x1(Thu Sep 22 15:23:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 15:53:19 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 16:21:22 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 16:37:04 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 16:40:37 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 17:16:12 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 17:25:57 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 19:23:30 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 19:33:33 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 19:35:06 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 20:02:06 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 22 20:05:19 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 07:22:51 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 07:47:20 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 07:53:10 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 08:14:23 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 11:51:21 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 12:01:59 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 12:07:11 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 14:44:24 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:02:09 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:05:40 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:21:24 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 16:43:50 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 17:34:11 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 23:04:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 23:37:41 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 23 23:44:47 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 08:24:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 13:25:53 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 13:45:24 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Sep 24 23:38:50 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Sep 25 00:14:16 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Sep 25 10:38:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Sep 25 23:16:01 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Sep 26 23:29:43 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Sep 27 14:50:08 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Sep 27 18:40:25 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Sep 28 08:06:41 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Sep 28 11:00:50 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Sep 28 11:57:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Sep 29 08:08:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Sep 30 22:39:28 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Oct 01 22:48:23 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Oct 03 02:17:39 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 04 12:40:08 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 04 13:11:16 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 05 12:55:10 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Oct 06 23:00:12 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Oct 07 19:53:11 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sat Oct 08 22:42:22 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Oct 09 08:15:46 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Sun Oct 09 22:27:17 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Oct 10 21:31:32 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 11 22:01:33 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 12 07:49:12 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 12 23:51:25 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Thu Oct 13 20:26:36 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Fri Oct 14 23:36:43 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Mon Oct 17 22:27:31 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Tue Oct 18 21:47:04 2005) : core is being shut down by WinMgmt.exe, it returned 0x0(Wed Oct 19

Next I'll post the last hijackthis log.

Prulon

The last hijackthis log file part 1:

Logfile of HijackThis v1.99.1
Scan saved at 9:00:25 PM, on 2/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\eScan\TRAYICOS.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\GTCO CalComp\TabletWorks\TWCP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globetrotter.net/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://by103fd.bay103.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=938d72bb6586a89e5f02f3daae11ebb5020085e5c909ae61b1b31c788889826e&fti=yes"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\0eufqvrq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\0eufqvrq.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll

Here is part 2 of the last hijackthis file:

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabletWorks.lnk = C:\Program Files\GTCO CalComp\TabletWorks\TWCP.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: WgaLogon - C:\WINNT\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BvrpKrnl - Unknown owner - C:\Program Files\WinFax eXPert\BVRPKrnl.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\RpcSandraSrv.exe

Can't find the avgas log file.

I'm not able to see what's on winnt or add/remove program...Kind of hard to remove the javas.

Do you have a way around that?

It is long, and I really appreciate your effort to help me resolve my computer problems.

Prulon

[Malware Removal Specialist]

OK. Let's take this one step at a time.

PRINT THIS OUT.

You seem to have done most of what was needed. Well done. This latest log is as good as clean.

I don't know why you can't boot to safe mode but maybe that will improve.

Do this in "normal" mode :-


1. Update your AVG Anti Spyware to the latest defintions and rescan your computer. Let it fix what it wants to fix. SAVE the scan report and, this time, remember WHERE you save it.


2. Go to this file again (in BOLD) ...

C:\WINNT\system32\hldrrr.exe

....and delete it IF it's still present.


3. Fix your Java. Work through the procedure I gave you in post #10. It is vital you have the latest java in your computer AND that you have removed older versions with "Add/Remove Programs".


In your next post please include the following 4 items ....

>> a fresh HJT log
>> the AVG Anti Spyware scan report
>> confirmation that you have now updated your java
>> another update on how the computer is operating now.


We'll go from there.


OJ

Hello OJ,

I can't still start in safe mode.

And since the last time I post yesterday night, the computer just start windows and before everything is put on, it reboot itself.
Still have the pop up about wingmt.exe saying that it will stop and blablabla...

Even after many chkdsk, it stay the same.

So now, I can't do nothing on my computer.

I was thinking if it would be better to just put win2k pro on my other hard drive.

I know I'll have to put back everything again, but in that case I can at least recuperate my document and other things.

What do you think about that?

That way, The virus or malware won't work and after taking my files, I could format the C.

I think the line to format is:

c:format/s

If I'm wrong, please tell me.

Thanks a lot for you time and help OJ...

Prulon

[Malware Removal Specialist]

Hi

Sorry to hear things are going from bad to worse. Just when it looked like you were fixing it.

That wingmt.exe file is definitley bad. If you could do it I would say hunt it down and delete it but you can't.

It sounds to me like you now also have and corupt .dll file as well as malware.

You now have two options ... save all documents/pictures and so on, reformat and reinstall everything from the beginning OR you can carry on and try and fix it.

If you want to fix this obviously the first thing is to get the computer to btot up normally or in safe mode. That issue of rebooting is/was a common problem with W2000 SP4. Many poeople had that trouble.

1. Here is a Windows registry repair tool that may fix the boot up problem ...

http://www.microsoft.com/downloads/details.aspx?familyid=56d3c201-2c68-4de8-9229-ca494362419c&displaylang=en


2. Read this to help you get into the safe mode menu (I know this may not work but we try) ....

http://www.computerhope.com/issues/chsafe.htm#02

This helpsheet also suggests what to do to get into safe mode if it doesn't work in the usual way.


2. You may have to do a repair or reinstall. You should try a repair from the windows 2000 setup CD. On re-installation the computer will ask whether to repair. Try that first. If it doesn't work you may have to reinstall.

Let us know what happens.


OJ

Hi OJ,

I put win2k on another hard drive so I can manage to clean the one with virus. (put in as slave)

The vcleaner found a 'blank.htm' That I didn,t found and delete it.

Taught that would do, now is the winmgmt.exe problem.

I'll try the registry recovery that you gave me a link.

Hope it will do...

When I try to boot in safe mode, it stop when it say preparing (or something) the sptd.sys...I look to see what it was on the net.

Seem that it has something to do with Daemon tool...I saw a way to correct that, I'll try ans see.

Thank a lot for your sound advice.

I'll post later to tell why it is going.

Prulon

HI,  

Finally, I manage to correct the problem...All virus seem to be gone and I can reboot normally.

Some of the thing are not working but it is minor compare to what was before.

When I empty the recycle bin, it say that the ' Dc2' can't be empty, and I still can see nothing when I go to ' add\remove software'.

The rest seem fine...

Here is the last hijackthis log...By the way, a big thanks to OJ and the others who gave me a hand to find solutions to my computer's problems.

Logfile of HijackThis v1.99.1
Scan saved at 7:17:14 AM, on 2/19/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\eScan\TRAYICOS.EXE
C:\winnt\Explorer.EXE
C:\Program Files\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files\Common Files\MicroWorld\Agent\MWAgent.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\GTCO CalComp\TabletWorks\TWCP.exe
C:\Program Files\eMule\emule.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globetrotter.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://by103fd.bay103.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=938d72bb6586a89e5f02f3daae11ebb5020085e5c909ae61b1b31c788889826e&fti=yes"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\0eufqvrq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\0eufqvrq.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabletWorks.lnk = C:\Program Files\GTCO CalComp\TabletWorks\TWCP.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

The rest follow on the next tread.

prulon

Here is the rest of hijackthis log file:

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\winnt\system32\shdocvw.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\winnt\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mwtsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: WgaLogon - C:\winnt\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Autodesk - (no file)
O23 - Service: avast! Mail Scanner - Autodesk - (no file)
O23 - Service: avast! Web Scanner - Autodesk - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BvrpKrnl - Unknown owner - C:\Program Files\WinFax eXPert\BVRPKrnl.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Unknown owner - (no file)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

I would like to know what are the best : firewall, spyware\malware remover and anti virus.

Also, the little problems I wrote about in the last tread. Does someone know a work around to fix that?

Again, thanks a lot for the help...Specially OJ

Prulon

[Malware Removal Specialist]

Hi

Some last things to fix.


Go here .....

http://www.intermute.com/spysubtract/cwshredder_download.html

Download and install the stand-alone version of "CWShredder".

Scan your computer with the tool and let it fix anything it wants.

*************

Next, open HJT ... click on scan ... put tick/check marks next to these entries IF they are still present ....

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

Remember to close ALL open windows - including this one - before clicking on "Fix Checked" at the foot of the HJT window.

*************

Emptying recycle bin... a few things to try ...

1. Can you boot to safe mode and empty the recycle bin? Then reboot to normal mode and it should stay empty.

2. Right click on the recycle bin and click on properties. Reduce the slide bar from 10% to 0% and reboot. The recycle bin should be empty. Then restore the recycle bin to 10%.

3. Downloaded Ccleaner from here ....

http://www.ccleaner.com/

Click on download at the top then follow the instructions BUT BE CAREFUL. Ensure you install it WITHOUT the optional Yahoo Toolbar download (you must untick/uncheck the relevant box on download).

Scan with the default options. That should clear out the recycle bin.

4. Run a repair install of windows.

*************

Finally, how to help keep yourself safe and protected (firewall, spyware\malware remover and anti virus) .....

If you are certain you have no more trouble you should clear out all old System Restore points then immediately create a new one so you have something to fall back on should anything go awry again. Also remember to make SR points on a regular basis.

More on System Restore ...

http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx


What may have lead up to your infection and help keep your computer free of malware …

http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html

http://www.help2go.com/Tutorials/Protect_Your_PC/Avoid_Web_Browser_Hijackers.html

There is a little duplication but these tutorials are both well worth reading.

If you do suffer an infection again you should run first Ccleaner to clean out your system.

Also run through this before posting another HijackThis log …

http://www.help2go.com/Tutorials/Protect_Your_PC/Get_Rid_of_Spyware%2C_Adware%2C_and_Web_Browser_Hijackers.html


Best wishes.


OJ

Thanks OJ

I'll do what you wrote then I'll pots to telle you how it is going.

Really appreciate!!!

Prulon:)

Hi,

I just wanted to say thanks a lot for your help.

I was able to fix almost everything.

My computer is kind of slower then before, but at least I can back up all that I need to and after I'll format.

It is good to know that there is people like you who just give a hand when they can.

Thanks again  

Prulon