22 replies to this topic

[Micah_6:8]

All the "baddies" are gone!!!!

Just one teensie, weensie thing to take care of.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Run Hijack This!
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):

O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)

Then click "Fix checked" and close Hijack This!.

Copy the text in the following quote box into Notepad:

sc stop ntlogin32
sc delete ntlogin32

Save it to your desktop as ff.bat.

Now, <double-click> the ff.bat file on the desktop.

A DOS window will briefly open, then close.

Reboot, then make another HijackThis! log to be sure that one last thing stays gone.

Are things running better now?

Post Infection Items To Ponder

[Sunny1]

No not all the baddies. I still get pop-ups. Is that something I just have to deal with?
I still get 3 or 4 unwanted IE windows every time I use the internet. Annoying but not overwhelming.
I do not get the cascade of IE windows. Not like the 61 windows I got on the worst day.
Thats a plus. The computer is not bogged down to the point of being useless. That is a definite Woo Hoo!
There is a curious folder on my computer, could you please tell me what it is and what the computer uses it for? c:\windows\PreFetch
I ran Ewido again, it found 29 infected objects.

here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:10:31 AM, on 6/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Loris\Desktop\Friday.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[Micah_6:8]

Please download and run Spybot-Search&Destroy and Ad-Aware; they are the standard programs for finding and cleaning malware off your system. Here are links to both programs, and instructions for their use.

Get Spybot - Search & Destroy from Spybot Search and Destroy
(This is the NEW Version 1.4)
Get AdAware SE Personal from Lavasoft
(This is the NEW Build 1.6)

Download and install these programs if you don't already have them. If you do have them, make sure they are UPDATED AND CONFIGURED AS DESCRIBED here:

Configure Adaware

Configure Spybot

Reboot after running each program.

Please try this free online virus scan of your system:

Panda Activescan
Accept default settings.

When it's finished, save the report, and "copy/paste" it into your next post.

Reboot after running the scan.

Next time you run Ewido, save the report and "copy/paste" it into this thread.

I don't see a "pop-up blocker" installed. If you updated your Windows to SP2 (you're still at SP1), IE has it's own pop-up blocker.

Until then, may I suggest Pop-up Stopper Free from Panic Ware.

Be advised that sometimes "pop-up blockers" will occaisonally stop links you click on from working. In that case, hold the <Ctrl> key down, then click the link. It should open up. It can also interfere with some game sites (like Pogo). If it does, just turn it off while playing games, and turn it back on when finished.

There is a curious folder on my computer, could you please tell me what it is and what the computer uses it for? c:\windows\PreFetch

Read about it here:

Windows prefetch

Your log still looks good.

I'll be waiting for your report from the Panda scan, after installing/running Adaware and Spybot.

[Sunny1]

OK the computer is dead. I am using an old laptop now.
I downloaded skybot. The computer went nuts. I tried to use Skybot in safe mode. Computer locked up. Never got it to run.
I went to Panda website, clicked on the online scan by Activescan. All I got was an avalanche of browser windows and pop-ups. Computer locked up and had to be manually shut off.
Turned the computer on and had a bubble on the lower right warning that the computer was in danger of malware/spyware and two red X's on the task bar.
I tried to run the Panda Activescan again. Computer locked up again. I gave up and went to bed.

This morning I turned on the computer. Nothing on the desktop but wallpaper (my grandmother's photo), no icons, no start, nothing.
Control-Alt-Delete got a box that said that Task Manager has been disabled by your administrator.
Went to safe mode- Ran Ewido- it was at 59% when the computer shut off and rebooted in normal mode.
Again with the wallpaper and no icons.

Control-alt-Delete got me a box that said "This computer is in use and has been locked. Only MaryAnn/Loris or an administrator can unlock this computer" It wanted a password. I have never put a password on that computer! I clicked OK. nothing. I waited a couple of minutes trying to figure it out and then clicked OK again.

The box that says "Task Manager has been disabled by your administrator" only this time there were 6 boxes. Clicked OK on them all. Again with the wallpaper.
Control-Alt-Delete got me 26 Task Manager has been disabled boxes.

I was going to go to safe mode but chose the "Last known configuration that worked" Still only wallpaper. As I pushed the power button the start bar flashed as well as an error box but I could not read it before the computer shut off.

I went to safe mode. Opened Look2Me-Destroyer. Did not have time to click on anything before the computer rebooted.
Safe mode again. This time I opened Tuesday.exe (Look2Me-Destroyer) This time I clicked on the box to the left of "Run this program as a task" It closed and I waited 10 minutes. nothing.
Opened Friday.exe (HiJackThis) Ran it in safe mode and saved to a floppy.

I am probably going to have to Fdisk the blasted thing. It seems that the computer got worse with every step I followed. Each program you suggested created a new and different issue. I regret that I have pictures from the digital camera on it that I did not save to a CD.
So here is the last HiJackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 10:41:18 AM, on 6/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Loris\Desktop\Friday.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\svchost.exe
F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
F3 - REG:win.ini: run=C:\WINDOWS\svchost.exe
O1 - Hosts: 85.249.139.66 socks.tempservice.org
O1 - Hosts: 85.249.138.154 socks.temphost.ws
O1 - Hosts: 85.249.138.154 j006_fljkdr.fgkfps.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [3c95fdec.exe] C:\WINDOWS\System32\3c95fdec.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\Loris\Local Settings\Temporary Internet Files\Content.IE5\5JMG2XPP\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe
O4 - HKLM\..\Run: [Manager 006] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [3c95fdec.exe] C:\Documents and Settings\Loris\Local Settings\Application Data\3c95fdec.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe
O4 - HKCU\..\Run: [Manager 006] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - Startup: Desktop Application Director.lnk = C:\OFFICE\SHARED\WPC20\dtwin20.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1147623380437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147623298920
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[Micah_6:8]

The root of your problem is that you have a whole new set of malware items on your machine that wasn't in the last log:

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\svchost.exe
F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
F3 - REG:win.ini: run=C:\WINDOWS\svchost.exe
O1 - Hosts: 85.249.139.66 socks.tempservice.org
O1 - Hosts: 85.249.138.154 socks.temphost.ws
O1 - Hosts: 85.249.138.154 j006_fljkdr.fgkfps.com
O4 - HKLM\..\Run: [3c95fdec.exe] C:\WINDOWS\System32\3c95fdec.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N822M1605] "C:\Documents and Settings\Loris\Local Settings\Temporary Internet Files\Content.IE5\5JMG2XPP\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe
O4 - HKLM\..\Run: [Manager 006] C:\WINDOWS\svchost.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [3c95fdec.exe] C:\Documents and Settings\Loris\Local Settings\Application Data\3c95fdec.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe
O4 - HKCU\..\Run: [Manager 006] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll



I don't know how they got on there, but each of those items is something you do not want on your machine.

Let me know if you want to continue the fight, or throw in the towel.

[Sunny1]

Thanks for all your valiant efforts to solve the problem. I am going to let my son reformat the hard drive. If that doesn't work we will put a new hard drive in the tower. I have tried everything you and he could think of to cure it. In the end normal mode is unusable. I bought a USB Flash Disk and was able to save my pictures and documents while in safe mode. There is nothing of any value that can not be replaced by reinstalling programs from CD's. Thanks again, Be well, Sunny1

[Micah_6:8]

We tried....

I would like to suggest 3 things you do after reformatting the hard drive and re-installing Windows:

1. Get antivirus protection (I don't see any), keep it updated, and scan regularly.

2. Get a Firewall (I don't see that either).

3. Update Windows to SP2.

There are free antivirus and free firewall products at the link below.

Those 3 items will go a long way towards preventing this from happening again.

M68

Post Infection Items To Ponder

[Micah_6:8]

This topic is now closed.

If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.