0

Dear Group,
I have two problems which I think are related but who knows...here's the first problem, my step-daughter downloaded a file from her boyfriend using trillian and then opened it trusting it was safe...a few days later the IE browser started slowing up. [We're on ADSL and the browser slowed to 12 bytes per second before coming to a dead stop]
She ran three anti-virus scans..AVG pro, Norton pro and Trend micro [on-line] and got rid of 4 infected files..all trojans. She thought one was called .junta and the other had the number 8 in it..that's what she remembers. Anyway..
the files were quarantined and deleted and she hoped that fixed the problem but it didn't. IE only connects to sites that were in her location bar [and very, very slowly..]..and if she tries any new site it takes an hour to load, if it loads at all.

So then we tried system restore [this is a brand new Dell we're on and it is less than three weeks on-line..was working brilliantly at that!]..trouble is when it restarts it comes up with a message saying system cannot be reset to a previous date [any previous date] BUT IT DOESN"T SAY WHY or how to fix the problem.
Please, oh, please..I forked out a lot of bread for this computer for her and now all it can do is play music and games..but surfing, mailing, downloading,etc. are just not possible.

Zohar
Amsterdam

5
Contributors
18
Replies
19
Views
13 Years
Discussion Span
Last Post by Zohar818
0

here goto this site (if you can on your computer or another one with the internet)
http://www.spychecker.com/program/hijackthis.html
Download hijack this place on your c: drive then open up the program and hit scan. Then once the scan is complete save the log and place it here.

Logfile of HijackThis v1.97.7
Scan saved at 5:04:56 PM, on 8/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\winsrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\docume~1\akaineko\locals~1\temp\msbb.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\taskmger.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Microsoft Service] winsrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msbb] c:\docume~1\akaineko\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [Microsoft Task Monitor] taskmger.exe
O4 - HKLM\..\Run: [Windows Manager] winsrv.exe
O4 - HKLM\..\Run: [dmnmt] C:\WINDOWS\dmnmt.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [Microsoft Service] winsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Task Monitor] taskmger.exe
O4 - HKLM\..\RunServices: [Windows Manager] winsrv.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Microsoft Service] winsrv.exe
O4 - HKCU\..\Run: [Microsoft Task Monitor] taskmger.exe
O4 - HKCU\..\Run: [Windows Manager] winsrv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MUSICMATCH MX Web Player (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

Ok since you dont have system restore and i am a semi-newb to hijackthis (only know common spyware entries which you dont have). then i would wait for a mod or someone with more HJT experience tell you what to do I would hate to mess up your computer and not be able to restore back.

0

Not long ago a message on the computer said that a virus was detected called Trojan Horse downloader.alchemic.a. It advised to run AVG to get rid of the virus so we did that but AVG didn't find any virus at all when we ran the full test. We are trying our best to find way's to get rid of it now but if anyone has any other tips on our problem please tell us. Thanks.

0

have you run adaware from www.lavasoft.de and spybot from www.safer-networking.org? I can see a spyware entry, which either of those might clean up.

The msbb entry is the 180search assistant. If you did not intend to have this on your system you can uninstall it by following the instructions here: http://www.180searchassistant.com/uninstall.html

There are a few other entries in there but you'd have to get someone more experienced than me to tell you how to remove it 'just in case'.

0

btw can you create a restore point with your system restore? perhaps the problem is that there are no restore points to return to?

0

Yes we can create a restore point but shouldn't it just be able to return to a previous date? Either way the computer is so new that we hadn't even thought of making a rstore point yet. We have add aware pro and we run it daily (just did a full system scan an hour ago and it sais it removed all spyware)

Also moments ago Norton Antivirus came up with a virus warning telling us it couldn't repair the file. The virus is called Bloodhound.Packed We tried to follow the extension it gave us where the virus should be located but none of the folders it's talking about are actually there.

0

Likely the files/folders you need access to are hidden/system files/folders. Open up Windows Explorer, (not Internet Explorer), pick Tools from the top menu, pick Folder Options, pick View, and change Hidden Files and Folders to 'Show hidden files and folders', then while in there, I personally also clear the mark from 'Hide extensions for known file types', and for 'Hide protected operating system files'. (The last two are optional, I just don't like anything being able to hide in my system!). That should help you out a bit. Finding that file should be a cinch after you do this. :)

Good luck!

0

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)

this file should be fixed also unless you want that extra searchbar it is a common spyware problem that i've had a lot.

0

Dear Group!
I think I found it! ;-)
PLEASE NOTE THIS....after having tired every fix on the Net i could find, including Tzar [trojan zapper anti-spyware..a really awesome program but it only cleaned 99% of the problem] and the one time fix for AGENT.j I downloaded from TREND-MICRO-EUROPE... which didn't work either... I got lucky and saw a file come up in start-up which attached itself to the bottom of the list in the box of processes running [RegCleaner-Startup files]..and it is called "task.mngr" and being run by HKLM___\...RunServices\wnsrv.exe
So I opened Start, clicked Run and typed in Regedit which opened my registry.
I scrolled to HKLM_Software\Microsoft\Windows...\Run services and found the default [REG_SZ] and also the winsrv.exe which I promptly deleted..leaving the default untouched.
Voila!!! I'm, back on-line and all problems have dissappeared.
i do not know if this is a temporary fix but for now it allows me to get on-line as fast as ADSL will go.
I think my system was not only infected but hijacked because every modem test i ran said it was working fine and that I was transmitting at 100mps..while still getting a message from both my browsers that i was not connected to the internet [!!!]
So I think my computer was turned into a spam slave or virus spreading server every time I started my computer.
Tell a friend that NO anti-virus, anti-trojan or registry cleaning program will pick up this file..and without the file the virus can't operate period, no matter how many copies it makes of itself into other folders on your PC.
Again I thank you for all your responses..
_sincerely
Zohar

0

Glad you've fixed it.

Would you like to post a new hijackthis log so we can see which entries are left and which have been removed?

0

Glad you've fixed it.

Would you like to post a new hijackthis log so we can see which entries are left and which have been removed?

Yes, indeed..gladly..but I will post it later this evening as I have an engagement to attend to right now..and must-do shopping..but I promise I'll have it posted here before I go to bed.
Anyway, if someone else has a problem like mine tell them to hit Ctrl/Alt/Del and look at all the processes running , scroll down for two really nasty ones..anything that says msbb and another .the big nasty, the task mananger program that is attached to HKLM\...RunServices wnsvr.exe or wnsrv.exe. Kill it! Then go to Run type regedit and delete that value in the registry.
You may still have the virus on your PC but it can't get out!
;-)
Thanks again.
-Sincerely

PS!--Also scan your sytem for any file or cookie that says @180solutions or CoolwebSearch..it is a virus driven file.
PSS!- Shut off 'sytem restore' when running any anti-trojan or anti-spyware program to try and zap your bug [right click My computer and click properties, you'll see the system restore tab..open and turn it off...then restart, run the AV/AT again. if you're clean and your computer works again reset the sytem restore and then open programs in start..look for accessories and then system tools and sytem restore. If you can set a new restore point I think you're problems with Agent J [Bloodhound.Packed] Downloader.32 are fixed.

0

You can alternatively just uninstall the msbb one by uninstalling the 180search assistant as I mentioned earlier.

The msbb entry is the 180search assistant. If you did not intend to have this on your system you can uninstall it by following the instructions here: http://www.180searchassistant.com/uninstall.html

Maybe you read it before I edited it to add that in - I didn't want to do too much double posting!

0

Dear Techie Whiz,

I see the Please do not post HJT logs above so....suffice it to say that I tried several prgrams including Lavasoft adAware, spy blaster, sygate AVG6.o and NAV..ended up downloading a pattern file from trend-micro-europe..and then that Trojanzapper i mentioned..plus Regleaner....running back and forth between our old 40GBclone and the new 372GB Dell...I could get on-line but within a minute my browser slowed to almost a dead stop..2.0kbs.then the browser would tell me I got diconnected.
So..no on-line scan was possible. I had to burn everything on a Cd and then front-load it into the Dell and try running it from the rom drive...[yeeeesh..]
TrojanZapper was by far the most thorough of the bunch..but I did not try AVPE..
As for the msbb...it was not the main problem..I think it was imported into the PC by t he first virus because our History file and TempInternet was full of @180 cookies..a zillion it looked like, and dated over the weekend when the problem started and we couldn't get on-line [said the browser]. That's why I think the bug takes over your PC and acts like a remote server for somebody..like the CoolWebSearch buddies..who knows.
All i know is once I found the winsrv.exe file in the RunServices folder and killed it all my problems stopped. The question remains however; was the file the problem or just another symptom of the problem..like was the wnsvr.exe placed there by a virus that may be backed into a corner but isn't dead yet> Will it wait until the next full-moon to strike again..insert itself into RunServices and try again/ Will it mutate into another bug that hits the Root system files or corrupts the memory and start-up functions? Will i find myself locked out of my own computer for Halloween?
I try not to think about it......
;-\
Zohar

0

Try a program called zillasoft connection accelerator it can fix the speeds but i dont know about the disconnects (thats porbably a problem with either a network signal or some hardware is loose).

0

why not head in in safe mode and delete the files you think are neutralised?

ps: the "do not post hijackthis logs in this forum" at the top of the page is to stop people just posting a hijackthis log for analysis, as they should be in the security forum. I was just interested to see if any of the entries had been changed/removed.

0

why not head in in safe mode and delete the files you think are neutralised?

ps: the "do not post hijackthis logs in this forum" at the top of the page is to stop people just posting a hijackthis log for analysis, as they should be in the security forum. I was just interested to see if any of the entries had been changed/removed.

Tried that....my AV tools scanned and scanned, foun d nothing..I loaded a trojan killer..ran that..nothing.
And the virus keeps coming back..I know what process to shut down to let me get on-line agin but every time I startup its back..loading wnsvr.exe in HKLM \...\Run & RunServices.

I've got taskmger.exe running from Documents &Settings and C:\I386..as well as from the System file...and when I kill the process I get my computer back.
Also there is a CThelper.exe that came as part of thre Audigy sound card Dell used and that is causing problems with my CPU...
I tried reformatting Windows XP but keep getting an error code that Windows is protecting itself and won't let me finish the install. So now, when I restart I get an opti on to go to Windows Set Up or Windows Home..
HOW do I get rid of the annoy ance..how do I undo the setup so it won't affect my start-up?
I'm about ready to heave this computer out the window.... ;-(
-Sincerely

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.