37 replies to this topic

[lilguy27]

Hello,

I've been working with Ax in the other Pc Problems forum on a problem with my TCP/IP and he has come to the conclusion that it is a virus and has asked me to come here and post a log file. he also told me to provide a link to the forum that we where working on. Any help would be wonderful.

http://forums.tomcoy...showtopic=76599

hope this was the link...


Here is the HijackThis log file.

Logfile of HijackThis v1.99.1
Scan saved at 4:06:09 PM, on 2/27/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Documents and Settings\default\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Complete Security] "C:\Program Files\Defender Pro Private Surf\PrivateSurfNT.exe"
O4 - HKLM\..\Run: [CompleteSecurityUpdate] "C:\Program Files\Defender Pro Private Surf\AutomaticUpdate.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1162288934386
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170002170050
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe


matthew

[LDTate]

Hello and welcome to the forums

Please go HERE and do a online scan.
Let me know what is found.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download AVG Anti-Spyware from HERE and save that file to your
desktop.
This is a 30 day trial of the program

• Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop
  and double-click it to launch the set up program.
• Once the setup is complete you will need run ewido and update the definition
  files.
• On the main screen select the icon "Update" then select the "
  Update now" link.
  • Next select the "Start Update" button, the update will start and a
    progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of
  the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then
  select " "Quarantine" .".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

• Reboot your computer into SafeMode. You can do this by restarting
  your computer and continually tapping the F8 key until a menu appears.
  
  Use your up arrow key to highlight SafeMode then hit enter.
  IMPORTANT: Do not open any other windows or
  programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
• Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab
  then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little
  time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all
  actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the
  screen and save it to a text file on your system (make sure to remember where
  you saved that file, this is important).
• Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the
  results of the AVG Anti-Spyware report scan along with a new HijackThis log.

[lilguy27]

LDTate, hello thank you for getting back to me. I included a link to the other forum where I am getting help about not being able to get on the internet. so is there another way to do what you need me to do? I can use another computer to get the programs but I will not be able to update. sorry for the difficulty. Matthew

[LDTate]

Lets see if we can get the PC back on the internet. This file will fit on a floppy or thumb drive.

Get a copy of winsockxpfix.exe You just run it and
things should work OK after it reboots your system.

http://www.snapfiles...nsockxpfix.html

[lilguy27]

I ran the program that you wanted me to. It ran fine and restarted the computer. but I still can't get on the internet. Matthew

[LDTate]

Click Start> Run> type in CMD tap enter key
Copy/Paste or type in: ipconfig /flushdns
If you are typing this in, note the space between the g /f
It needs to be there.


Now lets check some settings on your system.
Enter your Control Panel and double-click on Network Connections

Then I clicked on NetBios over Tcpip

I would change that back. You don't want NetBios over Tcpip.

Then right click on your Default Connection
Usually Local Area Connection for Cable and DSL
Left click on Properties
Double-Click on the Internet Protocol (TCP/IP) item
Select the radio dial that says Obtain DNS Servers Automatically
Note: Do this for all Network Connections
Press OK twice to get out of the properties screen and reboot if it asks

If it still doesn't work:
Restart Windows and unplug/replug the power to the
router / modem and try it again.

[lilguy27]

I got as far as ipconfig /flushdns and it came back with the message "Could not flush the DNS Resolver Cashe" Some Side notes.... When I clicked Start > Run > and typed in Devmgmt.msc . I clicked on view > show hidden devices and under Non Plug and Play Drivers I saw a yellow ! next to the Tcp/ip Protocol Driver. I also noticed that it was stopped and when I click on start it does nothing. NetBios over Tcpip is started and I can't get it to stop by clicking stop. I also noticed that there was a wincom32 driver and it has a yellow ! next to it and it is stopped also. Don't know if this helps or not just saw it and wanted to let you know. Being without a Home computer is very hard. Matthew

[LDTate]

Try moving on to this: Then right click on your Default Connection Usually Local Area Connection for Cable and DSL Left click on Properties Double-Click on the Internet Protocol (TCP/IP) item Select the radio dial that says Obtain DNS Servers Automatically Note: Do this for all Network Connections Press OK twice to get out of the properties screen and reboot if it asks

[lilguy27]

I tried what you suggested and it still hasn't let me back on the net Matthew

[LDTate]

Delete this file if found:
C:\Windows\System32\wincom32.sys

Reboot and let me know if it's working now.

[lilguy27]

I looked for that file that you said and I could not find it. I went to Start>Find> and typed in wincom32.sys making sure that I was in the C:\ drive. I don't Know if that would have found it or not? Matthew

[LDTate]

Start> Search> All Files and Folders and type in wincom32

[lilguy27]

Im Sorry yes that is what I did and it did not find that file. Matthew

[LDTate]

OK. When you looked in Device Manager you said a couple things had Yellow marks next to them?

[lilguy27]

wincom32 driver and Tcp/ip Protocol Driver. They where both stopped and clicking start did nothing. Matthew