Problems

Bad times bad times! I remember the days when you would download a trojan and be able to clean it up in an instant with a good anti-virus program because the trojan would be just a single file. Now I've got a Trojan, for the first time in a long time, and this little sucker is like a freaking alien queen. I feel like screaming Game over man! Game over! and just blowing my hard drive away!

First of all I have a little problem where I can no longer download windows updates. When they start to install a get a little message where it states that this program is has not been tested to run safely with windows XP and will not be installed. Sorry but WTF?! If it is downloading from windows update center it should be certifed to run on windows ! I have this problem with direct x as well as several other programs that are most certainly meant to be run in windows xp! (No I'm not downloading the wrong versions thank you very much) Further more I've got this browser hijacker that I got from a pop up that is just spreading like a virus and every time my spyware programs "clean it up" It just comes right back. I believe there are several programs on this website that are built for destroying it, and thus far none of them work (cool web).

Now my virus scanner is fighting trojans all over my computer, taking the place of svchost, notepad, and infecting my windows media player At this point I decide, hey time to format my computer and resintall windows again! It's been a while it will be good for my computer any how! I go to the windows install disk to start the process like I have done in the past and Beep, error! Operation can not be completed! I go to the dos prompt and format C doesn't work lol. I'm pretty much fed in the a now hrm?

Does anyone have any suggestions as to what exactly I should do from here? My final resort is to simply rip out the best parts of my computer, burn my hard drive, buy a new case and start from scratch. What ya guys think?

 

The problem is this. The CDs I have for reinstalling windows doesn't work. They are the kind where ya stick them in the CD drive before it starts and they act like a boot disk. It has Fdisk and what not on it, and in the past they allowed me to reformat and start fresh. However NOW when I try I get all sorts of errors about ghost buster files and dumps not being found. Not really sure what any of it means : ( My major fear is that if I did go ahead and use FDISK (and I don't have any partions because I never really figured that all out, but that is for another thread ) to format everything THEN they cds STILL won't work ;P I'll have a blank hard disk with no way to install anyting onto it. I'd have to go buy windows xp lol. And if I gotta start dumping that kind of money into my computer again I'll just go all out and get a new one.

 

It is a E-machine ;( Another reason to strip out the stuff I Added on and then start over

 

Have you ever heard of windows updates not installing because the don't pass the windows logo test or something ?I can't download and install ANY of the new security updates Also the hijacker keeps sending me to MSN.com lmao.

 

Here is the log

This is the log, and spy bot found a ton of stuff on my system. I guess I was stupid thing assume that Adaware could find everything spy bot could find hrm : P

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\mHotkey.exe

C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Trillian\trillian.exe

C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

O2 - BHO: (no name) - {27E3637F-85F3-44E2-B62C-CCB529989E3B} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - https://horizons.istaria.com/controls/launcher.ocx

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe

O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} - http://community-cctv.ath.cx/cab/Live.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

I'm still getting virusscan alerts from McAfee for files in my c:\systemvolumeinformation folder which I can't access for some reason. I really hate when my virusscan catches viruss but can't clean/delete/quaratine them.

 

OK, first things first. Disable System Restore (directions here) cuz viruses hide in that SVI folder that can't be accessed.

Then reboot (that will empty the folder), and run another scan and see what it finds.

Meanwhile I'll take a peek at your HJT log.


[Edit] What trojan does McAfee say you have?

 

You can have HJT fix this:
O2 - BHO: (no name) - {27E3637F-85F3-44E2-B62C-CCB529989E3B} - (no file)

Other than that I don't see any baddies in there

 

I don't recall but next time it pops up I'll tell ya. All I know is , I've got a browser hijacker going on. I run adaware, Spybot, and the CWshedder, my virus scanner, and clear my cache and clean up my registery. Everything scans clean after I run them all the first time. Then as soon as I start my web browser it changes the homepage from blank to MSN and from there everything comes back
This is driving me nuts !

 

Major Breakthrough ! I did what you said (About disabling the restore) And the thing didn't hijack my web browswer (yet) I'm running my myriad of programs now to weed out whatever is left. Are there any other tips ya have for finding those viruses that like to hide in protected file folders and such?

 

I think I've got a new problem. My spybot is popping up messages saying S&D has detected an important reg entry that has been changed. And all of them are browser menu extensions, the change is always value deleted. The things that are popping up are, Add this ad to black list, open all links on page, search, and so on. I'm not certain is spy bot is doing this, or if something is going in and deleting this things FROM spy bot so it can't protect me. any ideas?

By the way, thanks so much for all the help so far. I've never run into anything this hard to kill since I've had computers and that is a rather long time (Btw after it went through all the "value deleted" sections it went back and said value added to all of them as well. )

 

Disabling System Restore is the major one that bites users with XP.

If you can reboot and scan again without a virus/trojan showing up and the browser hijack, then I'd say you're clean

Once you're sure you're clean you can enable SR again.

 

That sounds like Spybot's new resident protection (teatimer.exe) telling you when registry changes are made. If that's all that happens it's normal.

 

What sort of changes should I allow to be made I'm getting tons of changes being made while I'm just sitting here doing nothing.

I'm running ad-aware over and over and over and every time I run it, the same things I just removed at there again . . .

 

Can you give smoe specific examples of the actual messages you're getting?

That doesn't sound good. SR still disabled?
At this point it would be good to get 2nd opinions from these online scanners:
http://www.trojanscan.com/
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/

That 1st one won't clean if it finds anything but it's good to ID any trojans you might still have.

 

Is there any way I can talk to ya over AIM/MSN/Yahoo or something similiar to that ? having this web browser open is letting whatever the hell is on my computer out and it's download new stuff. I keep gettin the coolweb thing too, even though I've run cwshredder and adware a million times to remove it ; P My name is Serondal on AIM and yahoo.

 

Sorry, I don't do IM

 

That's fine, it make things a lot easier but that's okay That first website is out of date, the last time it was updated was in 2003 lol. Whatever it is that I have is trying to download double click ? Hrm, and It's putting dialers on my system. As for the changes to register there is a lot of stuff saying it is deleting or adding things in regards to my browser such as IT tool bars and changes in home pages. When I open my browser it is going to MSN again so whatever I did to change it didn't work after all <sigh> This is driving me nuts, and I can't even format and reinstall because my windows disks don't work. They give error messages when trying to reformat.

 

That 1st site is excellent and up to date, no matter the displayed date.

It's possible that you have some nasty ActiveX stuff on there, if so SpywareBlaster will disable it and is a handy proggie for ongoing prevention/protection (update it after you install it).

Also, have you used the Immunize protection in Spybot? That's also very important, -and- have you updated Ad-aware and Spybot with the latest definitions?

 

I downloaded the spyware blaster program and it won't even run. <sighs> Whatever I have there is obviously nothing out there that can handle it.

 

What happens when you try to run it?

 

it says that it is damaged, on a damaged area of the hard drive, or a virus and that it should be reinstalled. Of course I tried to reinstall it and it still won't work. All my programs are up to date btw I think my best bet is to tear out my hard drive, crush it and start over lol.

 

Could be a corrupt download..... try downloading again?

What did the online scans report?

Also, run HJT again and post the log, it should be showing up in there.....