Strange virus/spyware problem shutting all windows

spotta · 2005/04/25

Hi

I wonder if anyone can shed some light on a suspected virus/spyware problem I have on a machine here.
(Dell PC - XP Home SP2)

It's was totally infected when I got it, and I have managed to clean off over 70 virus's and over 100 items of spyware but I am still having trouble.
What is happening is - every window that is opened is shut either straight down immediately or after a few seconds, it doesn't seem to matter if it is an instance of IE, an instance of Windows Explorer, or any other program. - the only program I have found so far which is not affected is Ad-Aware SE. it is exactly the same in safe mode.
The other strange thing is that 'folder options' has gone! - it is not in Control Panel, and if in Windows Explorer you go to the tools option, the only three choices listed are
map network drive,
disconnect network drive,
and synchronise.

Has anyone heard of this before?

Many thanks

Spotta

TonyT · 2005/04/25

Have you tried loggon ad admin in safe mode?
It sounds like the registry has been tampered with.
If regedit is locked, try this:
copy+paste into Notepad and save as reg.vbs and run it to renable regedit.

Code:

'Enable/Disable Registry Editing tools
'© Doug Knox - rev 12/06/99

Option Explicit

'Declare variables
Dim WSHShell, n, MyBox, p, t, mustboot, errnum, vers
Dim enab, disab, jobfunc, itemtype

Set WSHShell = WScript.CreateObject( "WScript.Shell ")
p =  "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "
p = p &  "DisableRegistryTools "
itemtype =  "REG_DWORD "
mustboot =  "Log off and back on, or restart your pc to" & vbCR &  "effect the changes "
enab =  "ENABLED "
disab =  "DISABLED "
jobfunc =  "Registry Editing Tools are now  "

'This section tries to read the registry key value. If not present an 
'error is generated.  Normal error return should be 0 if value is 
'present
t =  "Confirmation "
Err.Clear
On Error Resume Next
n = WSHShell.RegRead (p)
On Error Goto 0
errnum = Err.Number

if errnum <> 0 then
'Create the registry key value for DisableRegistryTools with value 0
	WSHShell.RegWrite p, 0, itemtype
End If

'If the key is present, or was created, it is toggled
'Confirmations can be disabled by commenting out 
'the two MyBox lines below

If n = 0 Then
	n = 1
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & disab & vbCR & mustboot, 4096, t)
ElseIf n = 1 then
	n = 0
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & enab & vbCR & mustboot, 4096, t)
End If

spotta · 2005/04/25

Hi TonyT

It is the same when logged on as administrator in safe mode.
I am unsure what you mean by regedit being locked.
If i type regedit in the run box, it does open for a second before being closed by the annoying bug that's causing all the trouble.

regards

spotta

noahdfear · 2005/04/25

Suggest you first try running SFC. If you can get HijackThis to run, post a log.

spotta · 2005/04/25

Hi.

Cannot run SFC, but here is the HijackThis log.

regards.

Spotta

Logfile of HijackThis v1.99.1
Scan saved at 16:47:49, on 25/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mcsv.com
c:\windows\system32\explorer.exe
c:\windows\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
c:\windows\rundll32.exe
c:\windows\system32\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Documents and Settings\Zoe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit32.exe,C:\WINDOWS\system32\mcsv.com
O1 - Hosts: 212.58.240.33 www.symantec.com
O1 - Hosts: 212.58.240.33 www.sophos.com
O1 - Hosts: 212.58.240.33 www.mcafee.com
O1 - Hosts: 212.58.240.33 www.viruslist.com
O1 - Hosts: 212.58.240.33 www.f-secure.com
O1 - Hosts: 212.58.240.33 www.avp.com
O1 - Hosts: 212.58.240.33 www.kaspersky.com
O1 - Hosts: 212.58.240.33 www.networkassociates.com
O1 - Hosts: 212.58.240.33 www.ca.com
O1 - Hosts: 212.58.240.33 www.my-etrust.com
O1 - Hosts: 212.58.240.33 www.nai.com
O1 - Hosts: 212.58.240.33 www.trendmicro.com
O1 - Hosts: 212.58.240.33 www.grisoft.com
O1 - Hosts: 212.58.240.33 securityresponse.symantec.com
O1 - Hosts: 212.58.240.33 symantec.com
O1 - Hosts: 212.58.240.33 sophos.com
O1 - Hosts: 212.58.240.33 mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com
O1 - Hosts: 212.58.240.33 viruslist.com
O1 - Hosts: 212.58.240.33 f-secure.com
O1 - Hosts: 212.58.240.33 kaspersky.com
O1 - Hosts: 212.58.240.33 kaspersky-labs.com
O1 - Hosts: 212.58.240.33 avp.com
O1 - Hosts: 212.58.240.33 networkassociates.com
O1 - Hosts: 212.58.240.33 ca.com
O1 - Hosts: 212.58.240.33 mast.mcafee.com
O1 - Hosts: 212.58.240.33 my-etrust.com
O1 - Hosts: 212.58.240.33 download.mcafee.com
O1 - Hosts: 212.58.240.33 dispatch.mcafee.com
O1 - Hosts: 212.58.240.33 secure.nai.com
O1 - Hosts: 212.58.240.33 nai.com
O1 - Hosts: 212.58.240.33 update.symantec.com
O1 - Hosts: 212.58.240.33 updates.symantec.com
O1 - Hosts: 212.58.240.33 us.mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantec.com
O1 - Hosts: 212.58.240.33 customer.symantec.com
O1 - Hosts: 212.58.240.33 rads.mcafee.com
O1 - Hosts: 212.58.240.33 trendmicro.com
O1 - Hosts: 212.58.240.33 grisoft.com
O1 - Hosts: 212.58.240.33 sandbox.norman.no
O1 - Hosts: 212.58.240.33 www.pandasoftware.com
O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MMSystem] c:\windows\rundll32.exe "c:\windows\system32\mmsystem.dll" ", RunDll32
O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\svhost.exe
O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - HKCU\..\Run: [MMSystem] c:\windows\rundll32.exe "c:\windows\system32\mmsystem.dll" ", RunDll32
O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\svhost.exe
O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: bw+0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {EA7775D5-B70C-40DF-99EC-590FF8A45431} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

noahdfear · 2005/04/25

Create a new folder on the desktop and move HijackThis to the folder.

You could safely uninstall the Logitech Desktop Messenger from Add/Remove, unless you plan to use it.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.
(all 01 entries)
O1 - Hosts: 212.58.240.33 f-secure.com
O1 - Hosts: 212.58.240.33 kaspersky.com
O1 - Hosts: 212.58.240.33 kaspersky-labs.com
O1 - Hosts: 212.58.240.33 avp.com
O1 - Hosts: 212.58.240.33 networkassociates.com
O1 - Hosts: 212.58.240.33 ca.com
O1 - Hosts: 212.58.240.33 mast.mcafee.com
O1 - Hosts: 212.58.240.33 my-etrust.com
O1 - Hosts: 212.58.240.33 download.mcafee.com
O1 - Hosts: 212.58.240.33 dispatch.mcafee.com
O1 - Hosts: 212.58.240.33 secure.nai.com
O1 - Hosts: 212.58.240.33 nai.com
O1 - Hosts: 212.58.240.33 update.symantec.com
O1 - Hosts: 212.58.240.33 updates.symantec.com
O1 - Hosts: 212.58.240.33 us.mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantec.com
O1 - Hosts: 212.58.240.33 customer.symantec.com
O1 - Hosts: 212.58.240.33 rads.mcafee.com
O1 - Hosts: 212.58.240.33 trendmicro.com
O1 - Hosts: 212.58.240.33 grisoft.com
O1 - Hosts: 212.58.240.33 sandbox.norman.no
O1 - Hosts: 212.58.240.33 www.pandasoftware.com
O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com
O4 - HKLM\..\Run: [MMSystem] c:\windows\rundll32.exe "c:\windows\system32\mmsystem.dll" ", RunDll32
O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\svhost.exe
O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - HKCU\..\Run: [MMSystem] c:\windows\rundll32.exe "c:\windows\system32\mmsystem.dll" ", RunDll32
O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\svhost.exe
O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe

Turn off system restore.
Reboot to safe mode and delete the file svhost.exe in C:\Windows.
Look for and delete if present, the files mcsv.com, Proxyspam.exe and Socks8080.exe in the C:\Windows\system32 folder.
Empty the contents of all temp folders and C:\Windows\Prefetch.
Empty the Temp Internet Files and then the recycle bin.

Reboot back into Windows and see if you can run a RAV scan. Let us know of any infected files and post a new HJT log.

spotta · 2005/04/26

Hi.

completed the HijackThis fix fine.
Could not turn off system restore as icon is missing from control panel > system
Could not find files, as folder options still missing from tools menu in win explorer and from controlo panel

So I put hdd in another machine, told that machine to disable system restore on all drives, removed the files mentioned above, ran housecall online scan which found another 2 virus's, emptied all temp folders followed by the recycle bin

Put hdd back in dell machine, it now gets to the logon screen, then whatever identity you choose it logs on for a brief second and logs you out again.

another change is that now on the bottom of the logon screen where it used to say 'turn off computer' it now says 'turn of the computer of the groovy chick' ?!?

**CORRECTION**
From a cold boot the logon screen displays 'turn off computer'
once you have tried to logon and failed it changes to 'turn of the computer of the groovy chick'

Thanks for the help so far

Spotta

noahdfear · 2005/04/26

Will it boot into safe mode? If so, open a command window and type chkdsk /r, hit enter and reboot. Then do sfc /scanboot and reboot. Have an XP cd handy. You will then need to do sfc /revert to reset the SFC back to default, or it will run on every restart.

Scan the drive with MWAV. Check the boxes for Startup and System folders, Drive (select drive), and Scan All Files. When it completes, copy the lower window labled Virus Log Information and post it here.

spotta · 2005/04/26

Same problem in safe mode.
it just logs you straight back out.

noahdfear · 2005/04/26

With the drive slaved in your computer, try running a check disk. My computer, right click the drive, properties, tools tab, check now. Tick both boxes in the popup and start.

Scan it with the MWAV while slaved also.

spotta · 2005/04/27

I ran check disc last time it was slaved to another machine.

I have just slaved it again and ran MWAV - nice little utility - it found;
File D:\l0ser.Html infected by "IM-Worm.Win32.Sumom.c" Virus. Action Taken: No Action Taken.
File D:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts infected by "Trojan.Win32.Qhost" Virus. Action Taken: No Action Taken.

Both of these were missed by RAV, Housecall and Symantec online scans

noahdfear · 2005/04/27

Run this Symantec tool to see if it can detect and remove any more components of that infection.

spotta · 2005/04/27

I ran it with the hdd slaved on my spare machine but it did not find or repair/delete it ; (

deleted files manually but MWAV picks them up in Recycler

spotta

spotta · 2005/04/28

As MWAV seemed to be the only anti virus tool that picked up these virus's - i bought it.

Ran the scan - says machine is clean - put hdd back in original pc - no difference ; (

time for a reformat me thinks....

noahdfear · 2005/04/28

I've been mulling this over most of the day, and for lack of a really good suggestion, and because a format may be the quickest and likely the surest fix, I'll have to agree it's time for the disk. Oh, if the drive were in my hands, because of my tenacity and 'need to see if I can fix it', there are some other things I'd try, some of which I'll share now, but not necessarily recommending.

Ewido seems to be gaining popularity and have heard good things about it's ability to finds things other scanners don't.

Not sure if turning off System Restore while slaved would actually clear the restore points created when is was in it's home as the OS disk, and not sure if it matters anyway for Last Known Good to work, but that's one thing I would try also. Haven't research it much, but it seems to me that while System Restore backs up both registry and file system information, Last Known Good is a registry hive backup only, and done separately from SR. May be a good one you could roll back to.

Parallel installation......re-install XP to a new folder on the same partition, such as C:\Windows1 rather than C:\Windows.

Your court. Let us know.

Log in or Sign up

Strange virus/spyware problem shutting all windows

spotta Inactive Thread Starter

TonyT SuperGeek Staff

spotta Inactive Thread Starter

noahdfear Inactive

spotta Inactive Thread Starter

noahdfear Inactive

spotta Inactive Thread Starter

noahdfear Inactive

spotta Inactive Thread Starter

noahdfear Inactive

spotta Inactive Thread Starter

noahdfear Inactive

spotta Inactive Thread Starter

spotta Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Strange virus/spyware problem shutting all windows

spotta Inactive Thread Starter

TonyT SuperGeek Staff

spotta Inactive Thread Starter

noahdfear Inactive

spotta Inactive Thread Starter

noahdfear Inactive

spotta Inactive Thread Starter

noahdfear Inactive

spotta Inactive Thread Starter

noahdfear Inactive

spotta Inactive Thread Starter

noahdfear Inactive

spotta Inactive Thread Starter

spotta Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches