Unknown problem

I recently began experiencing major problems with my PC. WHen I try and run a program it seems to cause the computer to freeze up. I am running Windows XP SP2, 1.8 ghz, 256mb, 30GB HDD. My computer has never had any other problems for the 2 years that I have had it. I ran HJT and was wondering if someone out there could take a look at the log and let me know if there are any problems there. I ran AVG free edition and it brought back a couple virus' and a trojan horse named something like startpage.16.AV or something and the virus' were javabyte.verify I believe. I deleted the infected files and healed the ones that it allowed me to but am still experiencing the same problems. Any help is greatly appreciated in advance.

Greg

P.S. -Sorry if this question has already been asked I am new to this forum.

 

Welcome

This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure one of the PROS can help you. These guys are quite busy, as you can see by the number of posts, so hang in there. Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Also, everytime I try and run a program the computer freezes for a short time then an error window opens saying that Dr. Watsons Postmordem somethin has encountered an error and needs to close. I followed the instructions on getting rid of viruses and trojans and for some reason it seems to get me nowhere. I am currently attempting to figure out the Hijack This program but if anyone knows anything from the diagnosis I have explained....please help!. THanks and have a great day
Greg

 

I am still having no luck in fixing the problem. I can no longer open programs in Normal Mode but have been able to open a couple in safe mode. Whenever I open my internet browser it automatically resets my homepage to "about:blank" and whenever I try and open a program in normal mode a error pops up sayin "Dr. Watsons Postmordem Debugger has encountered an error and needs to close". My AVG seems to recognize the viruses (Java.byteverify) but cannot seem to delete them. If anyone out there can help it is greatly appreciated. If you want me to post my HJT log let me know, maybe that would be of some help.
Thank you,
Greg K.

 

If you have run through:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.

Then send us a HJT log.

 

I ran through all of it in safe mode because I can no longer run programs in Normal mode. I followed the whole procedure and it seems to have done nothing. Here's the log from HJT if anyone can take a look at it I would greatly appreciate it.
Thanks, Greg

 

Kneeland

I am going to post what I think you should do.
DO NOT DO THIS TILL PP OR CHASLANG CONFIRMS THIS

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

soft.exe
addup.exe
tibs5.exe
3.tmp.exe
wintcp.exe
apiyg32.exe
iua.exe
appya.exe
YahooMsgr.exe

Now scan with HijackThis and Check the Boxes for the following:

F3 - REG:win.ini: run=C:\WINDOWS\system32\soft.exe
O2 - BHO: (no name) - {1A8E8BF9-BC1C-41DD-5D9A-CEB7C14ABF94} - C:\WINDOWS\system32\msku.dll
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe
O4 - HKLM\..\Run: [addup.exe] C:\WINDOWS\addup.exe
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\3.tmp.exe 1 10001
O4 - HKLM\..\RunServices: [Windows TCP/IP] wintcp.exe
O4 - HKLM\..\RunServices: [Yahoo Instant Messengar] YahooMsgr.exe
O4 - HKLM\..\RunOnce: [apiyg32.exe] C:\WINDOWS\apiyg32.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\iua.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: (HKLM)
O23 - Service: Symantec Network Drivers Service - Unknown - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\appya.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following files if they should remain:

C:\WINDOWS\system32\soft.exe
C:\WINDOWS\system32\msku.dll
C:\WINDOWS\addup.exe
C:\WINDOWS\system32\tibs5.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\3.tmp.exe 1 10001
wintcp.exe <--- SEARCH FOR IT probably in C:\WINDOWS OR C:\WINDOWS\SYSTEM32
C:\WINDOWS\apiyg32.exe
C:\WINDOWS\system32\iua.exe
C:\WINDOWS\system32\appya.exe
YahooMsgr.exe <--- SEARCH FOR IT probably in C:\WINDOWS OR C:\WINDOWS\SYSTEM32

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Kneeland

Per what Chaslang said.

DO NOT REMOVE THE FOLLOWING

O23 - Service: Symantec Network Drivers Service - Unknown - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

 

Kneeland

I am curious, did you uninstall your Norton AV? Are you running AVG as your AV program now. Make sure that you do not run 2 AV programs on your machine. Uninstall the one that you don't want. They will often conflict with each other.

 

Here's the new HJT log. I think I may have done something else but I am for some reason not getting any icons or start menu. It is running much better other than not having any icons. I can at least open up programs and such.

 

I did remove the Norton and on a thread of another forum it said that the missing file may be due to the fact I no longer have the program installed any longer. I am currently using the AVG 7.0 I believe.

 

What else did you do?

 

The other thing I did was install windows updates and now I have no icons or start menu, etc. Just a blank desktop. I pretty sure I didnt check any unnecessry boxes in HJT but I am not sure if that could cause it. I just restarted my computer in normal mode and there were no icons.
THanks again ...Greg

 

How are you opening up programs if you have no start menu or icons on your desktop?

 

I just use task manager -->file--> new task.

 

I've asked Chaslang to look at your thread when he comes online. Have you tried rebooting again?

 

Another note.....I just restarted it in safe mode and everything on the desktop was normal. Maybe I turned something off that needs to run on startup in normal mode. I did notice that explorer.exe was not on task manager when I opened it up, don't know if that helps or not.
THanks, Greg.

 

Yeah I rebooted a couple of times.

 

I'll bet Chas can figure it out. He should be on sometime tonight. OK? Hang in there.

 

Oh I have all the time in the world . I really appreciate it. Thanks.

 

I stayed in safe mode because of the luxury of actually having icons for the moment and decided to run AVG again. It came back with
dddd.exe infected with trojan horse "dropper.small.9.BV,
eree.exe infected with trojan horse "clicker.2.N",
and 127062.exe infected with trojan horse dialer.

I just don't understand why they keep popping up even after I manually delete them.
Just thought I would keep you updated.
Greg

 

All that info helps. Malware is tough and can mutate and reinvent itself. Also Chaslang's point about you being in safe mode for the first HJT file is important. It can cover up problems if not in normal mode when doing HJT.

 

I see...should I switch back to normal mode and just stay there since I will most likely need to run more tests there anyway? Or should I just stay in safe for the time being?

 

Very interesting...while waiting for AVG to finish I noticed another file that is infected......explorer.exe...actually its infected in three locations (C:\WINDOWS\explorer.exe ...and C:\WINDOWS\servicepackfiles\i386\explorer.exe.....and C:\WINDOWS\system32\dllcache\explorer.exe)...

 

Can you run msconfig and see which box is checked, normal or selective.

 

For startup: selective with all boxes under it checked and "use modified boot.ini"

 

Hmmmm. Mine says use "original boot.ini". Hopefully Chas will be on soon.

 

I cannot remember when I did this..(obviously a long time ago) I cant remember if it was from another problem or if it was when I updated something but I think I needed to do that for some reason. Not too reliable of a reason but I cant remember exactly why.

 

Isnt there some way I can insert the XP disc and then Run:"....." and it will check my system for errors and what not and fix them?? I was thinkin if I had to delete the infected explorer files if I could do that and it replace it with a good explorer.exe from the installation disc. I honestly have no idea just throwing out some ideas. I guess that would just fix the least of my problems....LOL

 

Did u do anything else, besides updating windows, after we fixed with HJT?

Did you disable anything via msconfig?

Can you rightClick your Desktop? Can you get into "Properties" and see if that ok?

Can u run a StartupList log in HijackThis' Misc Tools section and post that?

Just a few ideas.

 

Here is a startup list and the latest HJT logfile. No I cannot right click on the desktop or get into properties. Ater I ran HJT and fixed I restarted in Normal Mode (the only reason I didnt run HJT in Normal mode is because that was when I couldnt open any programs) and when it restarted there were no icons or taskbar, etc. Thats when I decided to run windows update to see if it may fix the problem. It didnt work and thats when i restarted in safe mode and ran AVG to find that my explorer.exe files were infected.

Hope this is of some help. Greg

 

I must have deleted it on accident when it the test was over....I'm a rookie to this stuff I don't know

 

Chas

Back in #22 he metioned this infection.

 

The explorer.exe files were infected with win32/beavis.4350

 

Heres the boot.ini file

 

Its gone..is there a simple way to extract the compressed file on the windows xp install cd to that file? A little off topic but...it wouldnt hurt to ask..

 

Yes they are gone, I have XP SP2.....but the install cd is for SP1 i believe.

 

I'm havin no luck....I'm using my laptop right now and it has SP2 installed......I just don't think that Microsoft would make it that easy to copy files and paste them on another PC......even though its not illegal given I purchased both copies of the OS. Anyway...I cannot seem to find any other copies on the defective machine.

 

Is the file protected somehow? It seems to not want to copy for some reason. Let me toy with it I will get back to you here in a few minutes.

 

Haha....I totally apologize...it did copy to the disk correctly....just getting late thats all....I have been running WinVNC and had the disk in the computer I was accessing the bad one from and trying to load it. Not sure if you are familiar with WinVNC....nevermind I am just getting tired. It worked just fine after I copied it I ran c:/windows/explorer.exe and it worked perfectly all icons and taskbar, etc.

 

As far as I can see everything is working fine. I can access programs which I couldn't do before. Should I run my antivirus and ad locating programs?

 

Okay I ran HJT and attached the log. It seems as if I am still getting some sort of redirect from my homepage. Yahoo pops up but sometime it redirects to this "Spyware Scanner" page or something like that and I sometimes get popups all relating to spyware blockers and scanners. If there is anything else you think I should do, name it! Thank you again for being patient with me I'm sure it got a little frustrating. I'm heading to bed for tonight but I will check on here tomorrow morning!

Greg