Solved

pernicious virus? - home page hijacked to windowws.cc, IE won't launch, various windows open blank

Posted on 2004-09-08
25
877 Views
Last Modified: 2013-12-04
My laptop appears to be infected with a virus that is causing numerous problems. I presume, but do not know, that the machine became infected during a period of several days between when my Norton Internet Security 2003 subscription lapsed and my attempt to install Norton Internet Security 2004. I will list the symptoms first, then the actions I've taken to correct the problem so far, and last provide the hijackthis log as of this morning. I would deeply appreciate some help ridding my machine of this awful infection.

The symptoms:

1. When attempting to launch Internet Explorer (version 6.0), a browser window briefly flashes and is then replaced with a "File Download" window. (File name: hp.htm; File type: html document; From: www.windowww.cc).

2. Before this started happening, my home page on IE was being hijacked to http://www.windowws.cc/hp.htm?id=9. Uninvited sites are also added to my favorites, mostly porn sites.

3. Windows in various utilities and programs open blank, including the search window in Windows XP, system restore window, help windows in various programs, and all windows in Norton Internet Security 2004. Also some messages arrive in Outlook with blank text fields. When attempting to open or reply to these messages, a window opens with message: "Can't open this item. The text formatting command is not available. It may not be installed correctly. Please install outlook again. An OLE registration error has occurred. The program is not correclty installed. Run SetUp again for the program." I have run set up again, but it did not correct the problem.

4. Various programs/fixes I have downloaded to try to correct this problem, for instance Norton's Intelligent Updater, disappear when I click on their icons or try to install them. I did manage to run a Norton scan however by installing the Updater in Safe Mode with command prompts. (see results of the scan below).

Actions taken so far:

1.      I have updated and run Spybot, which found several problems including instances of www.coolwebsearch, which I gather is an adware related virus. Removing them did not fix any problems. I also ran Spysweeper, which also detected and tried to correct the change in my homepage to windowws.cc, but the redirection immediately returns. I also ran CWShredder this morning, which removed 5 infected IE resistry values and “CWS.IEengine,” but this did not fix the problem – according to spysweeper, I’m still getting redirected to windowws.cc, though I’m not actually going there or anywhere else in IE, since it won’t launch.

2.      I spent forty bucks and an hour or so with a Norton virus removal person on the phone. With his help I was able to run a scan using their latest update, which detected several instances of the Trojan Horse virus and Download.Trojan. I deleted the infected files during the scan, then reran the scan, which detected no infection. I uninstalled Norton Internet Security, then scanned again just to be sure, then re-installed it. Nothing has changed. Same problems. Norton Antivirus windows open up blank, etc.

In short, my Internet Explorer, Outlook, Search engine, NAV, system restore, etc. are all defunct. I'm able to browse and get email via Netscape and Mozilla however. I would deeply appreciate any help ASAP. As you can no doubt tell, I am not an IT professional, but don’t know where else to turn. I don't understand the point system of this forum but would be glad to pay someone to help me get rid of this problem.

Here is my latest hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 10:41:13 AM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\sgmg40bitu23pp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\TaskPlus\taskplus0.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Jessica\My Documents\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Jessica\Application Data\Mozilla\Profiles\default\xaj3x62w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Jessica\Application Data\Mozilla\Profiles\default\xaj3x62w.slt\prefs.js)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\7dzlcaalj0upn.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll (file missing)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgmg40bitu23pp.exe
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\System32\clzsillrgpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Task Plus.lnk = C:\Program Files\TaskPlus\taskplus0.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/30ffa00c7d06f3fc6b15/netzip/RdxIE601.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37888.2045717593
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.multicastmedia.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

0
Comment
Question by:neander1
  • 10
  • 8
  • 7
25 Comments
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 450 total points
Comment Utility
Hello neander1 =)

First of all im not saying that i can solve ur problem for sure, but what i can do, is just to try to help u,,,, so if u want u can try my suggestions, otherwise accept my apologies in advance :)


So to start, Im sure u have already most of these tools,,,, but i just want to make u sure that u have them and have installed and updated them :)
Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpySweeper >> http://www.spychecker.com/program/spysweeper.html
SpywareBlaster >> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
Stinger >> http://vil.nai.com/vil/stinger (this is a standalone av scan tool, which is not needed to install)
========================================================

Then as ur System Restore is not working, u can disable it >> http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

After that run hijakchtis, and check the following lines and click on Fix Checked !!
==================================================================
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\7dzlcaalj0upn.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll (file missing)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgmg40bitu23pp.exe
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\System32\clzsillrgpi.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/30ffa00c7d06f3fc6b15/netzip/RdxIE601.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.multicastmedia.com/common/mbrowser/MINIBrowser.CAB
========================================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator >> http://www.computerhope.com/issues/chsafe.htm
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here

After u finish cleaning, Reboot abck in Normal Mode, and dont connect to Internet yet !!
Perform a SFC scan first, and then repair IE !!

Repair or Reinstall Internet Explorer in Windows XP:
http://www.theeldergeek.com/repair_ie6.htm
(First run the SFC scan, and then reinstall using ie.inf method)

then try running this tool:
http://www.mvps.org/sramesh2k/IEFIX.htm

It shud correct the problem of IE blank windows, after repairing, restart and now connect to internet and check if u are getting the same problems or not,,,,,,, and Turn on System Restore again to check if its coming fine or not ??

Post back and Good Luck :)
0
 

Author Comment

by:neander1
Comment Utility
Thanks SheharyaarSaahil for responding. I'll try your fix as soon as I can clear some time... one problem though -- when I just tried to disable windows messenger, I am unable to because the "services" window in the Administrative Tools folder comes up blank. The best I think I can do is exit Windows messenger. I hope that's enough. I'll get back to you -- thanks again.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> I am unable to because the "services" window in the Administrative Tools folder comes up blank.

no problem u can disable it alos from Start>Run>msconfig>Services and untick Messenger
and remember Messenger Service is not Windows Messenegr
Windows Messenger is the IM software, Messenger Services is for sending command messages in a network system :)
0
 
LVL 8

Accepted Solution

by:
RevelationCS earned 50 total points
Comment Utility
also, try looking at the following:

http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=windowws%2Ecc&alt=windowws%2Ecc

XP resources - http://www.theeldergeek.com/
Trend Antivirus Online Scanner - http://housecall.trendmicro.com
CoolWebShredder - http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop - http://www.mvps.org/sramesh2k/toolbarcop.htm

(my apologies for any duplicate links from SS above)
0
 

Author Comment

by:neander1
Comment Utility
Thanks RevelationCS....I'll peruse that site... meanwhile, SS or Revelation, how do I run an SFC Scan? I got up to that step, but not sure how to proceed. Just in case I have to redo anything (I had to connect to the internet to send this message), my new hijackthis log is below.

Also, is it important to be in safe modeto run the repair/reinstall fix on www.theeldergeek.com? I can't do so since it requires accessing my Windows XP CD, and I have an external CD drive that doesn't work in Safe Mode. Thanks, Neander1

Here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 5:00:48 PM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\TaskPlus\taskplus0.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Documents and Settings\Jessica\My Documents\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Jessica\Application Data\Mozilla\Profiles\default\xaj3x62w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Jessica\Application Data\Mozilla\Profiles\default\xaj3x62w.slt\prefs.js)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\d4vtf373to9.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Task Plus.lnk = C:\Program Files\TaskPlus\taskplus0.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37888.2045717593
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
only this entry is Bad >> O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\d4vtf373to9.dll

so fix it :)
and i think u have installed this ur self and dont want to remove it, right :)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

anywayz,,,, abt SFC Scan,,,, u can run it in Normal Mode without any problem.... Goto START>RUN and type  sfc /scannow
u will need ur WinXP CD in order to fix the corrupted windows system files, if found by scan.

its described in the www.theeldergeek.com site also,,,, after SFC scan, reinstall IE by ie.inf method OR run the IEFix tool, both methods are same :)

and after that restart and now check for the remaining problems.... post them here, and we will try to kick them out also, Good Luck =)
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
BAH! You beat me to it SS! You gotta stop that! ;)

As he said, do the above steps...
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> BAH! You beat me to it SS! You gotta stop that! ;)

No one can stop me..... coz Im not at work and not Married yet !!  
LOL :D
0
 

Author Comment

by:neander1
Comment Utility
Hi SS,

Sorry for the delay in responding -- been traveling. I ran through the steps you suggested and low and behold, everything worked again, except was still getting hijacked to windowws.cc home page, and unwanted sites being added to favorites. I ran a Spysweeper scan this morning though which appears to have taken care of that problem -- we'll see. In any case, the news is good. Much thanks. Please send yr email address.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
neander1 never mind abt the delay.... and its really good that ur system is running again smoothly..... :)
but i want u to test ur system for some days more to verify if all junk are really gone from ur system, and its safe from the Reinfection :)

>> Please send yr email address
may i ask why,,,, i mean any problem which u want to ask or anything ??
anywayz u can still find it in my profile, as publishing emails on Questions is not allowed here, due to those Spammers =\

Feel free to ask\discuss anything else if u find it confusing =)
0
 

Author Comment

by:neander1
Comment Utility
SS- Only reason I wanted yr email was to discuss a little compensation for your help, which I wasn't sure was appropriate here. I paid Symantec corp. $40 to not fix the problem, and I think it's only fair if I offer you the same for fixing it.

Here is my latest hijackthis log. Let me know what else is needed to verify if junk is gone from the system.. thanks

Logfile of HijackThis v1.97.7
Scan saved at 11:37:01 AM, on 9/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\TaskPlus\taskplus0.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Jessica\My Documents\downloads\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Jessica\Application Data\Mozilla\Profiles\default\xaj3x62w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Jessica\Application Data\Mozilla\Profiles\default\xaj3x62w.slt\prefs.js)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\cpdxopuupdvwd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgoc0t9pk3axo.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Task Plus.lnk = C:\Program Files\TaskPlus\taskplus0.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37888.2045717593
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Well ur Log is perfectly fine now,,,,, good job ^_^

>> Only reason I wanted yr email was to discuss a little compensation for your help,

lol my friend,,,, no nooooooo.... u dont need to pay or do anything for us,,,,, i and all experts here work for free.... some for helping others with their experience and knowledge, and some(like me) for gaining knowledge and sharing with others :)
and in return we get points and a thank u from the asker and that's more than enough for us :)

actually how we work here..... is u give points value for asking a question, as u gave 500 for this question..... and then u get helpfrom one or more experts.... u try their suggestions, and then when u get the solution of ur problem, u have to Accept the suggestion from that expert which solved ur problem :)

these points rank experts and provide them with premium services.... and that's the erason we compete for them, u know like old school days,,, whoever gets the highest points will declare as First :D
Here is out Help Page which u will love to read, on How we move on EE >> http://www.experts-exchange.com/help.jsp

and abt this question,,,,, i dont want u too close this question right now..... i want u to use ur system for some days more and when u will satisfy that yes everything is OK now.... u can come back and close this qeustion by Accepting the right comemtns which solved ur problem :)

anything else where i can help u =)
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
You can also split points between comments if multiple comments assisted you with the resolution...  to do so, just click on the linke that says "Split Points" and divide them up appropriately...
0
 

Author Comment

by:neander1
Comment Utility
Hi SS and RCS --

well, things didn't turn out so well after all. My computer ran for a day or two, then after trying to load Java and some small Microsoft update (not SP2), I restarted and got a blue screen with a STOP: fatal error {C000021a}. I was not able to reboot, even in Safe Mode. I called Dell, and after being on hold for a couple of hours and bouncing from one person to another was told to try a parallel reinstall of Windows. I did this and the computer will reboot in safe mode, but I still am being hijacked to windowws.cc home page and a lot of stuff doesn't work right, perhaps because I haven't reinstalled all the Dell drivers, and I can't reboot normally -- just get a blank screen.  Dell now suggests I back everything up and do a complete reinstall, which I'm a little relucant to do, because I'm not sure I've got my emails backed up properly (can't find Outlet.pst file, since my Windows search program comes up with only partial text) and because I can't find the device drivers CD... but will reinstall if there is no other solution. Meanwhile I'm working on my old computer... any suggestions? Should I post another hijackthis log here? Or just bite the bullet and reinstall Windows? Will that get rid of this virus for sure?
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
well, as the old saying when it comes to viruses goes... "If all else fails, reinstall"

This will clean the virus, however, could be a hassle if you don't have everything backed up. have you tried to back out the Java or MS update to try to locate which one was causing the STOP error?

try taking a look at this link to fix the STOP issue:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20790028.html
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> STOP: fatal error {C000021a}.

that means registry corruption..... and u dont know if virus has damaged it or those updates....
but its more better that if u have backed up ur data.... do a Fresh Install..... means restore to the factory settings using Dell Recovery Disks..... and if u will tell the me the model of ur system,,, i can provide u with the Deull Drivers Download page which u can use to download and install the required drivers for ur system.... if u have lost the CD :)

Post Back if anymore question or confusion =)
0
 

Author Comment

by:neander1
Comment Utility
Revelations, where would I look for the MS update so I can try to back it out? From the link you supplied it sounds like that might be a factor. But maybe better to do a fresh install as SS says, which would rid me of the virus too.

I think I found the Outlook.pst file, all 115 mb worth, which I presume is my emails, contacts etc.? I've backed it up on disk. If I do fresh install, I can just replace the new Outlook file in the same folder with this one, right?
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
first off, to the second question, yes that would be correct. I can't remember, but I think the contacts are a seperate PST file.. I might be wrong with this...

secondly, to look for the MS Update, you typically would go into add/remove programs and look for the KB # that you installed last. If you know the KB #, look for that, or if you use Windows Update you can look at the installation history there.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
neander, u can check these articles on how to Backup and Restore Outlook Data , may be can help u :)

MICROSOFT OUTLOOK
--------------------------
OL2000: (IMO) How to Back Up, Restore, or Move Outlook Data
http://support.microsoft.com/default.aspx?scid=kb;EN-US;196492

OL2000: (CW) How to Back Up, Restore, or Move Outlook Data
http://support.microsoft.com/?kbid=195719

OL97: How to Back Up, Restore, or Move Outlook Data
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q168644.

Outlook Express
------------------
How to Back Up and Recover Outlook Express Data
http://support.microsoft.com/default.aspx?scid=kb;EN-US;270670

How to Back Up the Outlook Express Address Book and Mail Folders
http://support.microsoft.com/default.aspx?scid=kb;en-us;188854
0
 

Author Comment

by:neander1
Comment Utility
OK, backed up Outlook.pst and will do fresh install. My dell driver CD isn't lost, but it is cracked :). The page with the downloads for my system (Dell Latitude X200, service tag 6SVMW11) is http://support.dell.com/support/downloads/devices.aspx?c=us&cs=19&l=en&s=dhs&SystemID=LAT_PNT_P3T_X200&category=0&os=WW1&osl=EN. How do I know which of these many drivers to download? Just see what isn't working and download a driver to fix it?
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
provided you dont have any wierd controller cards running the HD, you should be okay starting out with the base install. Once you have everything up and running, windows should use default drivers (ie VGA drivers) for the devices that it has drivers for... One recommendation - download the network drivers to disk before you start this process, unless if you have another PC you can download from ;)

Once you have the OS up and running and network connectivity, you can go out and update the drivers to the latest that are on the web site....
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
well u will have to install the drivers for those devices, which u are using :)
if u are not sure what are they, u can Download this utility and install it,

EVEREST Home Edition:
http://www.lavalys.com/products/download.php?pid=1&lang=en&pageid=3

it will give u a list of all the hardware attached to ur system, note down the correct
version and make of ur required device, and then u will be able to download and install the correct drivers for ur devices :)
0
 

Author Comment

by:neander1
Comment Utility
OK, when using Windows Setup to do a fresh install, I'm asked what partition to install Windows XP into. I have two partitions. One is too small (31 MB) for the installation, and the other (28577 MB) already contains the existing (presumably corrupted) version of Windows XP. Is it OK to install into this second partition?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
why second drive,,,, u have baked up ur data.... right ??
u wanna do a fresh and clean install after formatting the drvie and deleting the old winxp corrupted install, right ??

so choose the 28577MB drive, it will ask u to Either Repair or to Format the installtion
choose Format. it will format the drive and delete the contents of this drive including XP and ur data(which u have backed up)

then after that it will start installing XP on this formatted drive,,,,, that's all !!
Dont u want to do this..... are u upto a Repair install coz u have not backed up the data :-?
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
what he said... .. ;)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now