Please help! Major Internet/Malware

  1. 28-07-2006  #1
    souther32
    souther32 is offline Newbie

    Please help! Major Internet/Malware

    My internet quit working for some random reason yesterday, Thursday. Everything else regarding the internet is working fine. Xbox 360 on Live, Wirless Laptop through my router (what im on) Aim, Outlook Express.But Whenever I try to go to a webpage an error always occurs. Page cannot be displayed... I downloaded many different programs to try and fix it, such as Spybot, Ad-Aware, AntiVir Personal, Microsoft Defender, Kill2Me, cwshredder, Genuine Check, and Hijackthis.
    I was at majorgeeks.com for help, and they told me to download that stuff and run in under safe mode and I did. Found 3 objects with Microsoft Defender...

    WinSofware.Winfixer
    Catefory: Potentially Unwanted Software

    Description:
    This program has potentially unwanted behavior

    Advice:
    Remove this software immediately

    Resources
    File: C:\Documents and Settings\mom\Application Data\Netscape\NXB\Profiles\vrlkba04.default\Cache\ 6307B5C8d01

    File: C:\Documents and Settings\mom\Application Data\Netscape\NXB\Profiles\5ua3ftpa.default\Cache. Trash\Trash\Cache\6307B5C8d01

    File: C:\Documents and Settings\mom\Application Data\Netscape\NXB\Profiles\5ua3ftpa.default\Cache. Trash\Trash\Cache\851A1E9Bd01

    PowerReg Scheduler

    Resources
    File: C:\Program Files\ Microsoft AntiSpyware\Quarantine\2A4C705D-5DCE-47AD-9ECF-FCE52C\4B441E8B-0626-4D15-Ac76-6660B2

    File: C:\Program Files\ Microsoft AntiSpyware\Quarantine\9A1C314B-9F05-4F6F-B8B5-CFF590\B1C407D3-ABED-444E-A977-79B547

    NewDotNet
    file:
    C:\Program Files\Microsoft AntiSpyware\Quarantine\7BBD6271-6586-4651-A37B-346761\AF6CB5B5-52AD-4B4F-BC7C-BF16B9

    I just typed all that...
    Also I have try getting webpages using IE, Firefox, and Opra

    Also here is my Hijackthis Log
    Last edited by souther32; 28-07-2006 at 07:11 PM. Reason: Can't post Hijackthis Log

  3. 28-07-2006  #2
    souther32
    souther32 is offline Newbie
    Crap it won't let me post it. please go to this Url http://forums.majorgeeks.com/showthread.php?t=98130
    my Hijackthis log is 7 posts down... Ty Lots guys!!!

    If this helps, My internet is working in Safe Mode with Command Promt... Like I can go to webpages and stuff...
    Hmmm this makes me think that somthing non related to Microsoft is running in regular mode causing this to happen.
    Hey im 14 cut me some slack lol
    Last edited by souther32; 28-07-2006 at 07:15 PM.
  4. 28-07-2006  #3
    souther32
    souther32 is offline Newbie
    Logfile of HijackThis v1.99.1
    Scan saved at 1:17:27 PM, on 7/28/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\HJT\Analyse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6af208b1-33fd-492b-8c67-e8b471f39754} - (no file)
    O2 - BHO: (no name) - {89ad7923-34f5-4b2f-8630-685a0b4ca66b} - (no file)
    O2 - BHO: (no name) - {A2020B37-C382-B277-FC21-C8C9DEB56E95} - blank (file missing)
    O2 - BHO: (no name) - {BA816159-3BC2-4D07-4BF4-7FBBCEF292ED} - blank (file missing)
    O2 - BHO: (no name) - {C1ADD487-6A33-24E2-D9D8-7AA393078836} - blank (file missing)
    O2 - BHO: (no name) - {caf1e97a-3a63-43f8-b7fa-9cf27c66b3d2} - (no file)
    O2 - BHO: (no name) - {E07E4136-AED5-37AA-E491-F27424479DA5} - blank (file missing)
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printra y.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [stratas] lockx.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\RunServices: [stratas] lockx.exe
    O4 - HKCU\..\Run: [stratas] lockx.exe
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: ChatSpace Full Java Client 4.0.0.325 - http://www.interactionsoftware.com/C...a/cfs40325.cab
    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://my.uga.edu/nps/portal/gadget.../LocalExec.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: mad.dll
    O20 - Winlogon Notify: awtsq - C:\WINDOWS\system32\awtsq.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: tvmexehzonvl (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe (file missing)
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  5. 29-07-2006  #4
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    Please review the following similar situation:


    http://forum.malwareremoval.com/viewtopic.php?t=6429
    I'm afraid I have very bad news for you.

    You have a dangerous rootkit installed on your PC as evidenced by this line in your HijackThis log:

    O4 - HKLM\..\Run: [stratas] lockx.exe
    O4 - HKCU\..\Run: [stratas] lockx.exe

    For more info see:

    http://www.facetime.com/pr/pr051028.aspx

    This is a very serious problem.

    My best recommendation is to Disconnect from internet, format and re-install your Operating system and Applications. We can likely clean the infected files off computer but we cannot be sure that the files involved didn't do anything to your system to reduce overall system security.
    You could be vulnerable to another attack as soon as you connect to net again.
    If I were you, I would backup all critical user files and do a clean reinstall on your PC.
+ Reply to Thread
« Cannot remove MusicMatch Help | Best if possible antispam protector for Outlook Express »