My mother has a laptop with XP on it. We just got a wireless card
for it, and I made the mistake of letting her surf the net without
first downloading a firewall. (She had antivirus, just no firewall.)
Anyway, she must have downloaded some kind of trojan horse. She's
getting all kinds of pop-ups without IE even being open, and the CD
drive no longer reads CD's of any kind. I have ran Spybot, AdAware,
and still nothing. I ran Norton Antivirus in safe mode and still
nothing. But yet when I run Norton in regular mode, it detects
threats and then freezes up. She's also been consistently getting
error messages at system startup. I'll have to copy them verbatim
later. One says Odhost: cocreate instance failed, and the other one
is in reference to linksys, her wireless connection. Can someone
please help me figure out what's wrong my mom's da** pc? Thanks. |
Request for Question Clarification by
mathtalk-ga
on
19 Dec 2004 14:59 PST
Hi, nockmdead-ga:
As a next step I suggest downloading and running HijackThis:
http://www.tomcoyote.org/hjt/
regards, mathtalk-ga
|
Request for Question Clarification by
livioflores-ga
on
19 Dec 2004 19:35 PST
Please do the following:
Scan online your computer to see if it is infected with some known
virus or trojans, preferably use an online scan because the installed
antivirus could be hijacked too. I suggest you to use the following
free services:
"Trend Micro - Free online virus Scan":
http://housecall.trendmicro.com/
GFI - Free online Trojan scanner", an online tool dedicated to detect
trojans in your computer:
http://www.trojanscan.com/
Then download and run HijackThis:
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
For detailed instructions see:
"HijackThis Tutorial":
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
Without fixing anything post a HJT log as a question clarification and
I will be able to guide you with the fixing procedure.
Regards.
livioflores-ga
|
Clarification of Question by
nockmdead-ga
on
22 Dec 2004 09:23 PST
Here's the logfile from hijack.this:
Logfile of HijackThis v1.99.0
Scan saved at 12:20:51 PM, on 12/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\woyrow.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary
Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.hp.com/notebooks/pavilion/e-center
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HP Display Settings] C:\Program
Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common
Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvfyn32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk =
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) -
http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O23 - Service: Symantec Event Manager - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Service - Hewlett-Packard -
C:\WINDOWS\System32\HPConfig.exe
O23 - Service: Lexar JD31 - Unknown - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown - C:\Program
Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec
Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Virtual NIC Service - America Online, Inc. -
C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program
Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH -
C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
|
Clarification of Question by
nockmdead-ga
on
22 Dec 2004 11:22 PST
Most of the problem is this hijacker called ieautosearch aka IGetNet.
I think it's a variation of the look2me malware. I could go in and
remove it manually with some patience but I was wondering if there was
a fix that I could download to get rid of this nasty piece of spyware.
Also, please see my post regarding the error messages. I'm not sure
how to fix those. We have tried uninstalling the linksys software for
the card and reinstalling it but to no avail.
Thanks.
-P.
|
Request for Question Clarification by
cynthia-ga
on
22 Dec 2004 11:37 PST
nockmdead,
I can offer this link...
Remove IGetNet
http://www.spy-bot.net/IGetNet.asp
Scroll down to "manual removal"
Good Luck!
~~Cynthia
|
Clarification of Question by
nockmdead-ga
on
22 Dec 2004 21:58 PST
Thank you. I will try the manual method if no one can suggest a quick
download to get rid of the persistant little bugger.
|
Request for Question Clarification by
livioflores-ga
on
23 Dec 2004 19:39 PST
Try with Adaware, it is free. This program will help you to remove
from your computer the spyware and other types of pestwares:
http://lavasoft.element5.com/software/adaware/
To download it:
http://www.majorgeeks.com/download506.html/
Then install and run it and let it fix anything that it found; for a
guide of how to do that visit the following page:
"Ad-aware Tutorial":
http://www.fluteloop.com/Adaware6.htm
|
Clarification of Question by
nockmdead-ga
on
25 Dec 2004 06:42 PST
I tried remove CoolSearch Variants and ieautosearch the manual way,
but it would not let me kill running processes. When I hit CTRL, ALT,
DELETE, to get the task manager, I tried to end the processes but I
got an error message telling me that the operation was denied!!!!
And as for CoolWebSearch, I have the CWShredder, but the trojan causes
the program to close so I can't get rid of it!
HELP!
|
Request for Question Clarification by
cynthia-ga
on
26 Dec 2004 04:16 PST
Hi again nockmdead,
I remember having a stubborn bug once, here's what I finally did to
resolve the problem.
Go here and down load this program. It's FREEWARE.
Move On Boot
http://www.snapfiles.com/get/moveonboot.html
..."MoveOnBoot allows you to copy, move or delete files on the next
system boot. This comes in very handy, if you need to replace or
delete files which are locked by other applications, loaded into
memory or cannot be changed until next system boot. You could manually
enter a line to the wininit files, but using MoveOnBoot is much
simpler, since the program can be integrated into shell - it creates
the "Copy/Move/Delete on boot" context menu item..."
Then, try again to delete the processes. wHen that fails, note the
file names, and use this utility to remove them at the next boot.
This is accomplished before the Windows OS boots, and has been
successful, in my experience, 100% of the time.
When you are successful, let me know and I'll post it in the Answer
Box to receive payment.
Good luck, although I doubt you'll need it. This will work as long as
you identify the right files/processes to remove.
~~Cynthia
|
Request for Question Clarification by
cynthia-ga
on
26 Dec 2004 05:04 PST
nockmdead,
I forgot to mention that you need to disable the Windows "System
Restore" before you reboot the computer with "Move On Boot" Reable it
when you confirm it has been successful. You certainly don't want to
"save a restore point" wherein this stubborn bugger is put back in
your system...
Here's the instructions for how to disable (and re-enable) it:
"How to turn on and turn off System Restore in Windows XP"
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
~~Cynthia
|
Request for Question Clarification by
hummer-ga
on
26 Dec 2004 08:47 PST
Hi nockmdead,
I have been looking at your HijackThis log and you have a serious
problem involving your PC Winsock (Internet Connection) Settings. Give
my ten steps (don't skip anything) a try and let us know how it goes.
Sorry, I do not believe there is a quick and simple solution to your
troubles (you may need to consider re-formatting).
1) Update your Ad-aware, Spybot, CWShredder and HijackThis.
2) Disable your System Restore.
How to disable the System Restore feature:
http://www.trendmicro.com/en/security/advisories/win_me_clean.htm
3) Download LSPfix and save it to its own folder (do not run yet):
http://www.cexx.org/LSPFix.exe
Disconnect from the internet (important) and launch LSPfix.
Click "I know what I'm doing".
Check all instances of "calsp.dll" (and nothing else), move them to
the "Remove" pane and then click "Finish". Reboot.
4) Reboot into Safe Mode.
How to start Windows in Safe Mode:
http://www.pchell.com/support/safemode.shtml
5) Scan with HijackThis again. Put a check mark beside all lines with:
O1 - Hosts: 69.20.16.183 ieautosearch
and choose FIX.
6) Make sure you can view hidden and system files:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
7) While still in Safe Mode delete this file if it exists:
c:\windows\system32\ folder\calsp.dll
8) While still in Safe Mode, run Ad-aware, Spybot, and CWShredder (run
each until clean).
9) Reboot normally and scan with HouseCall:
HouseCall, a very thorough online virus scan:
http://housecall.trendmicro.com/
10) Re-enable your System Restore and set a new restore point.
Good luck!
hummer
|
Clarification of Question by
nockmdead-ga
on
27 Dec 2004 06:49 PST
Hi Cynthia, livioflores, and hummer! The scumware is gone! Hurray!
I got rid of Elite Bar, VX2, CoolWebSearch variants, among others. I
used Cynthia's advice to turn off system restore (I forgot about
that), and followed hummer's steps. I can only pay one of you for
this question, but I still have to resolve the error messages that are
coming on at startup (please see last comment below). So, livioflores
since you answered first, if you want payment, please post in the
answer box. If you decline, please tell Cynthia to post in the answer
box, and likewise if Cynthia declines, please tell hummer to post in
the answer box. Thanks. I can post the error message as a seperate
problem to offer payment.
|
Request for Question Clarification by
cynthia-ga
on
27 Dec 2004 07:01 PST
YAY!!!!!!
I sent a message to livioflores for you. So happy the major part of
your problem is gone.
~~Cynthia
|
Request for Question Clarification by
livioflores-ga
on
27 Dec 2004 09:29 PST
Dear nockmdead:
I appreciate your request for me to post in the answer box to get the
prize, but in my opinion my fellow researcher Cynthia gave you more
valuables advices that lead you to fix the problem. So please accept
my declination to post in the answer box to let Cynthia do it.
Thank you.
Sincerely,
livioflores-ga
|
Clarification of Question by
nockmdead-ga
on
27 Dec 2004 09:36 PST
Ok, Cynthia. It's all yours. Awaiting the "answer". (-: Thanks.
|
Request for Question Clarification by
cynthia-ga
on
27 Dec 2004 10:02 PST
nockmdead,
LOL, I don't feel right about it either. You didn't use MoveOnBoot,
.... you followed hummers 1-10 checklist instructions after you posted
the HJT log. He spotted the problem.
I'll contact hummer for you.
~~Cynthia
|
