Can't visit Anti-virus websites among other things...

Discussion in 'adware, spyware & hijack cleaning' started by computerneedsenema, Jun 10, 2004.

Thread Status:
Not open for further replies.
  1. computerneedsenema

    computerneedsenema Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    3
    My computer is a bloody mess...I do have a HijackThis log, which I will post. What are my problems? I can't access any Anti-virus websites (www.symantec.com, trendmicro.com, etc.), my browser occasionally gets hijacked to other search sites. I get pop-ups, etc. Most annoyingly, the entire system locks up and crashes consistently. I have SBC-Yahoo as an internet provider (blech!) and their connection software is HORRIBLE. I'm always getting error messages about 0xc00000017 crashing and the like. I don't know if that's related to the other problems I'm having. I have heard there is some virus that won't let you visit Anti-virus websites, but no one could give me any more information than that. There is also a registry key that consistently appears on my Start-up menu no matter how many times I delete it off. I've found it several times in my registry and tried to delete it, only to have it come back, yet again. I'm at my wit's end. Please help?
    (The registry key that will not go away is:
    O4 - HKLM\..\RunServices: [È0¥ÝRw] ’¿ObÓt¼Ž‹<)

    Logfile of HijackThis v1.97.7
    Scan saved at 6:20:38 AM, on 6/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\SBC\Connection Manager\CManager.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
    C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
    C:\Documents and Settings\Owner\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us8.hpwis.com/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunServices: [Windows System Manager Loader] smsls.exe
    O4 - HKLM\..\RunServices: [È0¥ÝRw] ’¿ObÓt¼Ž‹<
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{11377BC2-CB23-4D60-86F7-7D7CC9141273}: NameServer = 206.13.29.12 206.13.30.12
    O17 - HKLM\System\CS1\Services\Tcpip\..\{11377BC2-CB23-4D60-86F7-7D7CC9141273}: NameServer = 206.13.29.12 206.13.30.12
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi computerneedsenema,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

    O4 - HKLM\..\RunServices: [Windows System Manager Loader] smsls.exe
    O4 - HKLM\..\RunServices: [È0¥ÝRw] ’¿ObÓt¼Ž‹<

    Then reboot into safe mode and delete:
    c:\windows\system32\smsls.exe

    Then find C:\WINDOWS\System32\drivers\etc\hosts and rename it to hosts.bak
    See if you can visit the AV sites now.

    Information found at: http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_AGOBOT.TF

    Regards,

    Pieter
     
  3. computerneedsenema

    computerneedsenema Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    3
    Okay, I did all that you said, but nothing has worked, yet. Whatever has infected my computer is pretty nasty and is holding on and not letting go. I was able to get to TrendMicro via the co.uk link. I guess this is one link they have not been able to redirect with numbers placed in front of the address (I heard this is how they are disallowing virus info pages). I also was able to run a Trendmicro scan...The following viruses/trojans were found on the computer:

    The following viruses, I found the file in safe mode and deleted them (I also emptied out the recycle bin before restarting):

    AGOBOT.GEN
    C:\WINDOWS\system32\drivers\etc\hosts

    SMALL.IJ
    C:\WINDOWS\system32\ipv6mon.exe

    AGOBOT.TF
    C:\WINDOWS\system32\smsls.exe
    (Pieter also suggested I delete this)

    AGOBOT.KT
    C:\WINDOWS\System32\winhlpp32.exe

    AGOBOT.TF
    C:\sec.exe

    AGOBOT.TF
    C:\smsl.exe

    I also found the following on my computer, but the file it says is infected is not showing up anywhere in the folder (I have checked 'Show hidden files' in the folder options, too). I deleted a file with this name a while back, as it was found in another virus scan. there are some files beginning with wua, some which may be valid, but I'm not sure about the others like wuacpl.cpl.manifest:

    SPYBOTER.CF
    C:\WINDOWS\System32\wuam.exe

    o_O

    I'm worried about being on the computer, as we speak, because now this nasty thing has de-activated my antivirus software altogether. Every time I try to turn it back on, it does absolutely nothing. The only place on the web I am going for the time being is to this site...I'm extremely worried about this. The harder I seem to fight it, the more damage it seems to do. It's been ramping up the CPU to 100% and crashing the computer, causing it to read that their isn't enough virtual memory. Is there any way to kill this other than reformatting? Or am I doomed? I can provide another HijackThis log if it helps?
     
  4. computerneedsenema

    computerneedsenema Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    3
    Something else to add...I also went to regedit and did a search of the registry for the values: È0¥ÝRw and ¿ObÓt¼Ž - they turned up in their usual places, but I also found another entry under

    HKLM\Software\Microsoft\Shared Tools\MsConfig\startup reg\

    I deleted the values out and thought, maybe, just MAYBE...they were being restarted every time the computer came back on and multiplying themselves because of this entry...but no, when I restarted the computer - guess what was in my Start-up folder, once again? Arrrgh!!

    Thanks so much, Pieter...You are the Messiah of the Spyware holy war...And I just want to figure out how to kick the holy crapness out of this virus!!!

    Thank you!!!
    A desperate blonde chick about to go bald from pulling out her hair
     
Thread Status:
Not open for further replies.