trouble getting rid of trojan virus

[tracy]

My daughters computer has a virus ,,,, has made her home page about blank.com ,, has backdoor trojans affecting windows files, etc. ( has windows xp) I went through the procedure recommended here ,, scanned with avg and norton, spybot, adware. It found a few infected files and quarantined them. I then restarted the computer in safe mode as recommended and proceeded to try and run these scans again ,, but it will not let me scan anything in safe mode. When I try to use the adware, spybot or anything ,, it does nothing ,, wont even bring it up to the screen ,,
but a popup comes up that says Driver(CORE) not found winerr=2

[Mobo]

Ok, well first Tracy, welcome and don't panic. We'll get to the bottom of it in a bit..

For now do this in regular mode:

Download 'Hijack This to its own folder [Only Registered and Activated Users Can See Links. Click Here To Register...]
Doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here.

Most of what it lists
will be harmless or even essential, don't fix anything yet.

[tracy]

ok,,,,I am not in panic mode yet,altho all these trojans popping up are a bit scary ,,,, am going to do what u say now - will be back and thank you so much

[Mobo]

Just post it when ready..

[tracy]

ok ....hope this attachment is there

[tracy]

Logfile of HijackThis v1.99.0
Scan saved at 10:10:51 PM, on 1/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\khooker.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP DLA\dlatray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Company\Quick Start Button\QSB.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Default\My Documents\My Pictures\virusprotection\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = FrontierNet
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E1545A56-DE0C-2E0C-EE11-ABB18D6F1A8E} - C:\WINDOWS\ntmr32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP DLA] "C:\Program Files\HP DLA\dlatray.exe" /t
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP CD-DVD] C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [QSB] C:\Program Files\Company\Quick Start Button\QSB.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.frontiernet.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: Yahoo! Klondike Solitaire - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: Yahoo! Spelldown - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwe** Control) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - [Only Registered and Activated Users Can See Links. Click Here To Register...]
O17 - HKLM\System\CCS\Services\Tcpip\..\{322E1CA1-4248-4E48-AD10-F81077742F7C}: NameServer = 66.133.191.35 170.215.255.114
O17 - HKLM\System\CS2\Services\Tcpip\..\{322E1CA1-4248-4E48-AD10-F81077742F7C}: NameServer = 66.133.191.35 170.215.255.114
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.ex e
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

[Mobo]

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
[Only Registered and Activated Users Can See Links. Click Here To Register...]


Please download about:Buster from here: [Only Registered and Activated Users Can See Links. Click Here To Register...]
Once it is downloaded extract it to
c:\aboutbuster. Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.



Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345

R0- HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yegxe.dll/sp.html#12345

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {E1545A56-DE0C-2E0C-EE11-ABB18D6F1A8E} - C:\WINDOWS\ntmr32.dll

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"


O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - [Only Registered and Activated Users Can See Links. Click Here To Register...]

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Now open windows explorer, find then delete:
C:\WINDOWS\system32\yegxe.dll
C:\Program Files\webHancer


Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop


<span style="color:#9999FF">REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\SW]</span>


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.



[*]Download the Hoster from [Only Registered and Activated Users Can See Links. Click Here To Register...]. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
[*]Open IE, go to Tools>Internet Options>then click on the security tab, then click on custon label. Check the following settings:

• Download Signed ActiveX controls-set to Prompt.
• Download Un-Signed ActiveX controls-set to Disable.
• Initialize and script ActiveX controls marked as unsafe-set to disable.

[/list]
Run an online antivirus scan at one of the links here:
[Only Registered and Activated Users Can See Links. Click Here To Register...]


Reboot and post a fresh log

[tracy]

ok ,,, will let you know [img]style_emoticons/<#EMO_DIR#>/blink.gif[/img]

[tracy]

question ,,maybe a dumb one [img]style_emoticons/<#EMO_DIR#>/sad.gif[/img] but ,,, you say to open windows explorer (Now open windows explorer, find then delete:
C:\WINDOWS\system32\yegxe.dll
C:\Program Files\webHancer) ,,,,, where is that??

[Mobo]

Right click start/ explore / my computer/ C / WINDOWS / system32/ yegxe.dll

Right click start / explorer/ my computer / C / program files / Webhancer /