HELP!! My PC is broken!!

pchelpman

Browntoa wrote:

ignore any "advice " from anyone apart from me or Pchelpman from this point

Alfonso too!;)

BT ... Running Processes can't be fixed with HJT just by scanning/ticking and hitting "Fix Checked". You have to stop the process first then kill off the associated run keys/files/folders. But I know you know that!! it's just too hot to think of everything at the moment.

Mum ... there is more to do after you have worked through that lot but hopefully BT's advice will have trimmed down the bad stuff.

That log is a dreadful mess. I was wondering how it may have got in that state. I see you are using TalkTalk antivirus but which firewall do you use? Please tell us.

Also, as has been suggested many times before, you must be careful what you allow to be downloaded on to the computer.

Post back again as soon as you can.

stressedoutmumof1

Hi guys - sorry for not posting for a while - but haven't been at work so couldn't acess internet - grrrrr

Anyhow have followed all instructions and have posted another hijack log (below) - couldn't follow the steps ref Malware removal (1-4) as coudln't access internet. Here goes...........

Logfile of HijackThis v1.99.1
Scan saved at 12:39:38, on 23/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TALKTA~1\backweb\81720\Program\SERVIC~1.EXE
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\TalkTalk Online Security\backweb\81720\program\fsbwsys.exe
C:\Program Files\TalkTalk Online Security\Common\FSMA32.EXE
C:\Program Files\TalkTalk Online Security\Anti-Virus\fssm32.exe
C:\Program Files\TalkTalk Online Security\Common\FSMB32.EXE
C:\Program Files\TalkTalk Online Security\Common\FCH32.EXE
C:\Program Files\TalkTalk Online Security\Common\FAMEH32.EXE
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsrw.exe
C:\Program Files\TalkTalk Online Security\FSPC\fspc.exe
C:\WINDOWS\update\updmangr.exe
C:\WINDOWS\services.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TalkTalk Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\TalkTalk Online Security\FSGUI\ispnews.exe
C:\Program Files\TalkTalk Online Security\Common\FSM32.EXE
C:\WINDOWS\System32\vcshost.exe
C:\Program Files\Common Files\!!040839FD-0A28-2057-0225-04012420002c}\Update.exe
C:\PROGRA~1\TALKTA~1\ANTI-S~1\fsaw.exe
C:\Program Files\TalkTalk Online Security\FSGUI\fsguidll.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Messenger\msmsgs.exe
A:\hijackthis2\HijackThis.exe

O2 - BHO: Malicious Scripts Scanner - !!55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx\pxbho.dll
O3 - Toolbar: &Radio - !!8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [News Service] "C:\Program Files\TalkTalk Online Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\TalkTalk Online Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\TalkTalk Online Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\TalkTalk Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [VCS Host] vcshost.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager Tool] C:\WINDOWS\update\updmangr.exe
O4 - HKLM\..\RunServices: [VCS Host] vcshost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKCU\..\Run: [VCS Host] vcshost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: TalkTalk Online Security.lnk = C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\TalkTalk Online Security\Anti-Spyware\blockpopups.htm
O9 - Extra button: Web Filter - !!200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\TalkTalk Online Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - !!200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\TalkTalk Online Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - !!200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\TalkTalk Online Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - !!300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\TalkTalk Online Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - !!300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\TalkTalk Online Security\Anti-Spyware\ieshield.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\!!86CB3585-B575-46FB-B44B-0E5945A94D49}: NameServer = 62.24.128.17 62.24.128.18
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 62.24.128.17
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = 62.24.128.17
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = 62.24.128.17
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\kt04l7dq1.dll
O23 - Service: TalkTalk Online Security (BackWeb Plug-in - 81720) - BackWeb Technologies Inc. - C:\PROGRA~1\TALKTA~1\backweb\81720\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\TalkTalk Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\TalkTalk Online Security\backweb\81720\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\TalkTalk Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\TalkTalk Online Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\TalkTalk Online Security\Common\FSMA32.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SNMP Service (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: Windows Update Manager Tool (UpdateManagerTool) - Unknown owner - C:\WINDOWS\update\updmangr.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINDOWS\services.exe

Thanks in advance

Browntoa

you still have problems

O23 - Service: Windows Update Manager Tool (UpdateManagerTool) - Unknown owner - C:\WINDOWS\update\updmangr.exe


is still running and is a trojan

Browntoa

you need to donwload this somehow onto a CDR or USB drive (mp3 player)

http://www.safer-networking.org/en/download/index.html

Spybot - Search & Destroy 1.4 - product description
md5: C1A843913269018A8FC962407D7E5169Application to scan for spyware, adware, hijackers and other malicious software.

and also

Detection updates 2006-07-21 - product description
md5: 81E8B88003B0394CB17D2657F0154C76This updates the detection rules. Only needed if you do not want to use the update function integrated into Spybot-S&D.

the first one is the program, the 2nd one is the update program that will bring the definitions up to date without having an internet connection

then run it in safe mode

Browntoa

also do the same with Ewido

the program is here

http://www.ewido.net/en/download/

and then download the update

Full database
This installer always includes the complete database of ewido anti-spyware.

Browntoa

we need to clean the Malware thats on there and this is the only way

worse case get a friend to burn the stuff to CDR for you

you should be able to do a scan of the PC with the Talk Talk Antivirus

stressedoutmumof1

Thanks for that Browntoa - have downloaded everything onto my memory stick, and will try all when I get home

stressedoutmumof1

Browntoa wrote:

we need to clean the Malware thats on there and this is the only way

worse case get a friend to burn the stuff to CDR for you

you should be able to do a scan of the PC with the Talk Talk Antivirus

I've done a scan of the pc with the talk talk antivirus. The first time it said Malware detected - and then removed it (allegedly). Now it comes up clean as a whistle when I do it

stressedoutmumof1

pchelpman wrote:

Alfonso too!;)

BT ... Running Processes can't be fixed with HJT just by scanning/ticking and hitting "Fix Checked". You have to stop the process first then kill off the associated run keys/files/folders. But I know you know that!! it's just too hot to think of everything at the moment.

Mum ... there is more to do after you have worked through that lot but hopefully BT's advice will have trimmed down the bad stuff.

That log is a dreadful mess. I was wondering how it may have got in that state. I see you are using TalkTalk antivirus but which firewall do you use? Please tell us.

Also, as has been suggested many times before, you must be careful what you allow to be downloaded on to the computer.

Post back again as soon as you can.

Ref the firewall - I think that is included in the talk talk antivirus.

Ref the pc being in a mess - hubby tried to download some stuff to fix the problem - but has obviously made it much worse. Which is why he's been banned from doing anything on the pc till I've tried my best to fix it with the help and advice from you guys.

Browntoa

when you have finished do my a fresh Hijackthis log, I think Spybot + Ewido in safe mode will clear hte malware