help me please the desktop and windows is off

Discussion in 'adware, spyware & hijack cleaning' started by vhrios, Jul 9, 2004.

Thread Status:
Not open for further replies.
  1. vhrios

    vhrios Registered Member

    Joined:
    Mar 15, 2004
    Posts:
    4
    I have problem with my keyboard all time put the letter vvvvvvvvvvvvvvvvvvvv and I can not control it.
    I didnt start windows normal

    I run many antivirus but nothing...
    help me !! please...

    Logfile of HijackThis v1.97.7
    Scan saved at 10:10:28 PM, on 7/9/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\winspol.exe
    C:\WINNT\system32\taskmgr.exe
    C:\Program Files\GlobespanVirata\Adsl\dslstat.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\administrator\My Documents\Download\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\ub438dxn.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\ub438dxn.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\GlobespanVirata\Adsl\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\GlobespanVirata\Adsl\dslagent.exe
    O4 - HKLM\..\Run: [WSAConfiguration] svchostt.exe
    O4 - HKLM\..\Run: [Video Process] sysconf.exe
    O4 - HKLM\..\Run: [Auto Start] winspol.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe
    O4 - HKLM\..\RunServices: [WSAConfiguration] svchostt.exe
    O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
    O4 - HKLM\..\RunServices: [Auto Start] winspol.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Auto Start] winspol.exe
    O4 - HKLM\..\RunOnce: [Auto Start] winspol.exe
    O4 - HKCU\..\RunOnce: [Auto Start] winspol.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: DigiChat Applet - http://y2kwebsolutions.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E4} (ShowSetupObj4 Class) - http://invite.mshow.com/(p3eudxa21wkzwsnr4ghjde45)/ShowSetup4.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Cursos interactivos de Microsoft\O10C\mitm0026.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38062.3555671296
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{32BDF12B-134F-43ED-9651-7799B8E49DCC}: NameServer = 63.171.232.38 199.2.252.10

    :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'(
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi vhrios,

    It looks like you have some nasty viruses/worms running:
    [Video Process] sysconf.exe - Symantec - W32.Gaobot.gen!poly
    [WSAConfiguration] svchostt.exe - Sophos - W32/Agobot-lO or could be: Trend Micro - Agobot.OB Worm
    [Auto Start] winspol.exe - I haven't been able to find any information on this file, so I am very suspicious of it.

    ______

    First, bring up TaskManager (pressing the Ctrl+Alt+Delete keys) and end the running process for the following files if present:

    sysconf.exe
    svchostt.exe
    winspol.exe


    Make sure you have all files and folders viewable:
    Open My Computer --> Tools menu --> Folder Options --> View Tab.
    Under the Hidden files and folders, select "Show hidden files and folders."
    Uncheck the "Hide protected operating system files (recommended)" option.
    Click Yes to confirm. Click OK.

    Then do a search for the above files, zip them up, and email them to the following email addresses for analysis:
    submit@diamondcs.com.au
    samples@nod32.com

    Try and upload the winspol.exe file to http://www.kaspersky.com/scanforvirus.html for a scan, if you can, and save the results to post back here.
    ______

    Next, download this removal tool for Gaobot:
    http://securityresponse.symantec.com/avcenter/FxGaobot.exe

    If you are unable to get to Kaspersky's or to download the Gaobot removal tool, then there's a good chance your Hosts file has been compromised.
    Follow the steps below to check your Hosts file:

    Download Toadbee's "hoster" from here: http://members.aol.com/toadbee/hoster.zip
    Unzip to a permanent folder (example c:\hoster) and double-click Hoster.exe to open it.
    Place a check in the box beside any entry below the 127.0.0.1 localhost entry that look like the example below, and click the button "Delete checked Line" to remove the bad entries. Close Hoster when finished.

    Do not delete this line:
    127.0.0.1 localhost

    Delete any lines that look like these:
    127.0.0.1 www.symantec.com
    127.0.0.1 securityresponse.symantec.com
    127.0.0.1 symantec.com
    127.0.0.1 www.sophos.com
    127.0.0.1 www.mcafee.com
    (the list might be quite long)

    ______

    Disconnect from the internet

    Follow these instructions to boot your computer into Safe Mode:
    - Shut down your computer and turn off the power.
    - Wait 30 seconds, and then turn the computer on.
    - When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu will appear.
    - Use the arrow keys to select the Safe Mode option, and press Enter. (it may take a few minutes before you enter Safe Mode)


    Open HijackThis, rescan, and place a check beside the following items (make sure you get exactly the one's listed below)
    Have ALL browsers and any open programs/windows closed, except HijackThis, and click *Fix checked:

    O4 - HKLM\..\Run: [WSAConfiguration] svchostt.exe
    O4 - HKLM\..\Run: [Video Process] sysconf.exe
    O4 - HKLM\..\Run: [Auto Start] winspol.exe

    O4 - HKLM\..\RunServices: [WSAConfiguration] svchostt.exe
    O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
    O4 - HKLM\..\RunServices: [Auto Start] winspol.exe

    O4 - HKCU\..\Run: [Auto Start] winspol.exe
    O4 - HKLM\..\RunOnce: [Auto Start] winspol.exe
    O4 - HKCU\..\RunOnce: [Auto Start] winspol.exe


    (resource hog and you don't need it at startup)
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    (I'm not sure about these, but if you do not recognize them, then include them too)
    O16 - DPF: DigiChat Applet - http://y2kwebsolutions.com/DigiChat...s/Client_IE.cab
    O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E4} (ShowSetupObj4 Class) - http://invite.mshow.com/(p3eudxa21wkzwsnr4ghjde45)/ShowSetup4.cab


    While still in Safe Mode, run the FxGaobot.exe removal tool.
    Run your antivirus too if you can.

    Then reboot your computer normally and run the FxGaobot removal tool once more.

    _______

    Go back on line

    Then go immediately to Windows Update Site and download and install ALL patches and critical updates for your operating system and IE so you won't become immediately infected again: http://v4.windowsupdate.microsoft.com/en/default.asp

    Then go to one (or both is better) of these on-line antivirus sites for a FULL scan and let them fix/delete what they find.
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    I do not see a firewall running. You can find some recommendations here: Firewalls

    Do another scan with Hijackthis and post a new log here in this thread, along with the Kaspersky scan, so we can be sure we got it all.

    Regards,

    snap

    (you should save these instructions to a .txt file so you can read it while off line and in safe mode, or print it out)
     
    Last edited: Jul 10, 2004
  3. vhrios

    vhrios Registered Member

    Joined:
    Mar 15, 2004
    Posts:
    4
    I will do it, step to sptep thanks you
     
Thread Status:
Not open for further replies.