33 replies to this topic

[Staci]

Hi there My name is Staci, and my computer was pretty badly filled with spyware and viruses. Here is what I've done so far:

• I ran Spybot, Adaware and Ewido and it removed at least 700 spywares once it was all done I rebooted each time they removed something and re-ran them each until they had nothing else pulling up.

• I ran CWShredder and it removed a few things.

• I also ran a virus scanner and it removed about 50 viruses.

• I turned off all non-essential start-up programs through msconfig (from the very right tab), and also turned off non-Microsoft services. (I was advised to do this from a friend because the computer would not run at all unless it was in Safe Mode)

• Finally, I ran another anti-spyware program and it's showing a lot of infected registry files still. However to remove them I have to pay $40 to activate the program and I'm scared to remove them manually hehe. The program is called XoftSpy.

After getting rid of everything it's fixed most of my problems, but I'm still having the following problems:

• My computer is still loading really slowly at startup (when everything pops up it has an hourglass for at least a minute)

• My Quick Launch toolbar keeps defaulting to off (both while I'm logged on and when I log off and back on again). The XoftSpy shows there is a thememanager registry that is set at 0, so I'm wondering if that's part of the problem.

• I'm still having some problems with IE being started by itself, and then I get an error that it's been shut down.

Btw, I have IE but I don't use it much, I use the most updated Firefox browser.

Here is my Hijackthis log. If anyone has a chance to look it over and let me know if I should remove anything, I would greatly appreciate it I had tried CyberSnooper (to try to see if I could limit my kids usage) but it was not working correctly and I removed it from the add/remove programs. I noticed there is still something about this in the Hijackthis log and not sure why.

Logfile of HijackThis v1.99.1
Scan saved at 10:24:46 AM, on 2/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Documents and Settings\Stacy\Desktop\HijackThis.exe
C:\WINDOWS\System32\imapi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: PD - {7102B1F9-B771-4C7B-A864-6166A3BD6E56} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9C3E8350-5873-4D8E-A1D4-DCB9E885E86D} (CYBSnoop Control) - http://www.cybersitt...vex/AXSnoop.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O20 - Winlogon Notify: wancp - wancp.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\system32\dcom_14.dll (file missing)

Thank you very much for anyone who is able to assist me with this. My computer is running "ok" right now so this is not crucial, but if anyone has the time I would love to get it running at optimal, and work on anything that is necessary to protect it from this happening again

Edited by Staci, 18 February 2006 - 11:26 AM.

[little eagle]

Click here for Instructions on how to Scan with Spybot S&D and Ad-Aware

Download System Security Suite v1.04 here
Tutorial here.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Reboot in safe mode. Close all Browser and Program Windows.
Have HijackThis fix the following. Do this by checking the box beside each and then clicking on Fix checked.


You may need to set you computer to show hidden files. Click here for Instructions.
Then click start>my computer>local disk
(then follow the path) or Using Windows Explorer, locate the following files/folders, and delete them:

Delete the following file(s) listed.

ssldr32.dll
wancp.dll
C:\WINDOWS\system32\dcom_14.dll

Delete the folder(s) listed
C:\PROGRA~1\Jalmp

Please download Winhelp2002's deldomain.inf to your desktop. http://www.mvps.org/.../DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'
It will not appear to have done anything, thats ok.


Reboot after scanning and post a new HJT log.

Reboot then Run 3S under “Items To Clear” tab place a checkmark in all of them but user defined folders.
Reboot and Rescan with HJT and post a new log here.
Also please describe how your computer behaves now.

[Staci]

Thank you so much Little Eagle

Ok..I'm not sure if I followed the instructions correctly because I was a little unclear on a couple of steps.

This is what I did:

• Downloaded and installed System Security Suite v1.04. Settings put to what you linked.

• Downloaded Pocket Killbox and unzipped it to my desktop.

• Rebooted in safe mode and closed everything.

• Ran Hijack this and removed the following (hidden files were already shown):
  ssldr32.dll
  wancp.dll
  C:\WINDOWS\system32\dcom_14.dll

• I did not see this in the Hijackthis log when I ran it again so it was not removed: C:\PROGRA~1\Jalmp

• Downloaded and installed Winhelp2002's deldomain.inf

• Rebooted and ran Spyware and Adaware, nothing was found on either.

• Rebooted and ran 3S per instructions.

• Rebooted and ran Hijackthis again. Log is below.

Problems cleared up:
Quick Launch is no longer disappearing, thanks

Problems I am still having:

• When I load up the hourglass is there for about 10-15 seconds, then for another 30 seconds I cannot click on anything.

• When I try to switch between programs on the taskbar it will get "stuck" and won't let me switch some of the time. I have to open up Task Manager and double click to use the program I want.

• I can't get things to minimize so I can see the desktop.

• I keep getting a Services app error (not sure exactly, I got locked out when it did this and didn't get the exact wording). Sometimes when I get that error I then get a message that the computer is going to shut down. It says it was initiatated by NT Authority/System and that the following was the reason: C:\WINDOWS\system32.services.exe shut down, Status code 1073741819

Hijackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 8:25:20 PM, on 2/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Stacy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: PD - {7102B1F9-B771-4C7B-A864-6166A3BD6E56} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9C3E8350-5873-4D8E-A1D4-DCB9E885E86D} (CYBSnoop Control) - http://www.cybersitt...vex/AXSnoop.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)

Edited by Staci, 18 February 2006 - 08:30 PM.

[little eagle]

Sorry looking at the reply I made it looks like it didn't copy and paste right Can you post another hijackthis log.

Edited by little eagle, 18 February 2006 - 08:01 PM.

[Staci]

Sorry about that Little Eagle. As I was posting that I had the error pop up that my computer was shutting down (this has been happening for the past few days). I posted the error real fast because it wouldn't let me open up notepad to save it hehe. I edited my above post and put in the instructions I followed, and the problems I'm still having. I also posted my Hijackthis log. The folder you told me to remove did not show back up in my Hijackthis log when I ran it again for some reason..just to let you know. I had not changed anything except for downloading the programs you linked. Thank you again

Edited by Staci, 18 February 2006 - 08:34 PM.

[little eagle]

Close all programs leaving only HijackThis running. Place a check against each of the following,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)

Click on Fix Checked when finished and exit HijackThis.


Make a restore point with windows. Just a safeguard incase your registry backup fails.

Backup your Registry...
click start > run > enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

Then download RegSeeker http://www.hoverdesk.net/freeware.htm. Extract it to it's own folder, open and double click RegSeeker.exe to start the program. Maximize the window and click clean registry. Check all sections and click OK. When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again. Then right click within the search results and select delete. Run it again and again, deleting everything it finds until it finds nothing. Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything). In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back. A reboot may be required for the effects to be seen. Reboot When done.

Edited by little eagle, 18 February 2006 - 08:47 PM.

[Staci]

Yay! The errors stopped and it's not shutting down on me anymore. It's still taking about 15 seconds to load but it seems faster, and I seem to be able to switch back and forth easier.

The only minor problems I'm still having are the following:

• I opened MSN Messenger and a contact's picture wasn't showing for me even though they had it up. I closed it and reopened it and it took about 2 minutes for it to load back in. Right now I see MSN Messenger on the taskbar, but my hourglass is up and it won't let me click on anything below my browser window.

• Also when I am opening or closing programs sometimes the taskbar will disappear for a few seconds then come back. This is annoying but not crucial..this has also been happening the past couple of days.

• I'm getting a message that my firewall was turned off (I did not turn it off). When I try to turn it back on I get the following error: Due to an unidentified problem, Windows cannot display Windows Firewall settings.

• I am trying to remove Microsoft .NET Framework 1.1 (not using program anymore which needed this) and it gives me this error: Error 1316.A network error occured while attempting to read from file: C\WINDOWS\Installer\netfx.msi

Do I need to defrag perhaps? I haven't done that in a while hehe.

[Staci]

After MSN Messenger froze up and I made the last post, it wouldn't let me minimize Firefox or shut it down. I tried shutting it down using Task Manager and it locked up my computer (I could move the arrow but couldn't click anything). So I rebooted and when I came back on, it had the hourglass for 10 seconds. It was letting me click things on the desktop but nothing on the taskbar (Quick Launch or Start button) for another 10-15 seconds. When I tried to open up MSN it gave me the Services and Control app error again..and then it again popped up the NT AUTHORITY error and it shut the computer down on it's own. When I logged back in, I had the same slowdown problem on loading up (hourglass for 10 seconds, not letting me click Taskbar for 15 seconds). Once it was loaded I opened up Photoshop and then MSN and Firefox and haven't gotten any errors again (yet). I still cannot see the picture of my contact in MSN (I can see someone else's picture though). Their picture was showing up ok last night for me.

[little eagle]

Click \start\run\then type in or paste in

sfc /scannow


You must be logged on as a member of the Administrators group to run sfc.

If sfc discovers that a protected file has been overwritten, it retrieves the correct version of the file from the %systemroot%\system32\dllcache folder, and then replaces the incorrect file.

Try this link if you have any trouble.

http://www.updatexp....cannow-sfc.html

[Staci]

Whoops ..was having a problem and that website gives a solution further down. Reading/working on it now

Edited by Staci, 19 February 2006 - 09:31 AM.

[Staci]

Ok..nope I definately need the WinXP CD according to that webpage. I tried the fixes and they didn't work *smacks forehead* Is there anyplace I might be able to download these files? If not I'm going to have to find the CD (my mom cleaned my room a while back and I have no idea what she did with it hehe)

[Staci]

My mother doesn't know where my WinXP CD is..lovely I might be able to get my brother-in-law to burn a copy of it for me to use for this if there is no other solution

[little eagle]

Can you run Ewido and post the log here. Also did you run hijackthis in safe mode?

Edited by little eagle, 19 February 2006 - 07:46 PM.

[Staci]

Sure, are you wanting me to run a scan of the system with Ewido and post that report? I see the "Scanner" section, and also three things to look at under the "Analysis" section of Ewido (I have a lot of things listed in the Connections too). Do I need to turn everything else off when I run this and be in safe mode, or is regular mode ok? All of my Hijackthis logs I've posted here have been run in regular mode, not safe mode. Do you need me to run and post one while in safe mode? Also, I found this folder and removed it (though it still wasn't showing up in Hijackthis, in safe or regular mode): C:\PROGRA~1\Jalmp

[Staci]

To save time, just in case this is what you wanted me to do (I think you did from what I read), I ran the spyware scanner of Ewido in regular mode (not safe mode). Here is the log from that:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:37:10 PM, 2/19/2006
+ Report-Checksum: E4BA7691

+ Scan result:

:mozilla.37:C:\Documents and Settings\Stacy\Application Data\Mozilla\Firefox\Profiles\x3jtkact.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup


::Report End

Also, I rebooted my computer once I removed this.

I'm still getting the errors too. Are these stored somewhere and do you need to see them? It keeps pulling up the DrWatson Postmortem Debugger (think that's it).

Edited by Staci, 19 February 2006 - 08:50 PM.