PLEASE HELP ME!!!(btw,im new..ahhh)

Computing.Net > Forums > Security and Virus > PLEASE HELP ME!!!(btw,im new..ahhh)

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

PLEASE HELP ME!!!(btw,im new..ahhh)

Name: Katee
Date: January 26, 2004 at 11:01:22 Pacific
OS: Windows XP Home
CPU/Ram: 1.6 GHz intel pentium 4 p

Comment:

~*~*THIS IS REALLY LONG, BUT PLEASE STICK WITH ME...I REALLY NEED YOUR HELP!!!*~*~
>>>hi everyone...i hope you all are doing ok, and everyone's computer is running great...unfortunatly, mine is not. Previously, i have recieved much help off of simply reading other peoples posts and replies, and i want to thank everyone who takes time to help people out with these computer difficulties! If it may in any way be possible to help me, i would GREATLY appriciate it...
ok, heres the situation...
I have Windows XP Home edition, and I have a whole lot of things wrong with my computer. I mean, it is so bad that the logical thing to do would be wipe the hardrive and start again, but i cannot do so since the computer was given to me, and i do not have a backup copy of the software.:(
~*SO*~ heres the deal...
1>I have a virus in my aim that says "Happy Holidays Everyone!!New Years 2003 Partayy!"
2> I have A WHOLE LOT of adware on my computer, despite having both Spy-Bot and Ad-Aware installed, and frequently scanning
(the two most annoying things are Golden Palace Casino and System32...ahhhhhh!!!)
3> My task manager has been disabled my some kind of virus (that means when i press CTRL+ALT+DEL it either NEVER comes up or comes up for about 1 second and goes away)...which means i cant see any of my running processes or stuff...
4> when i hit "Start" then "Run", it only lasts for a few seconds and closes out
5> I downloaded *Hijack This* and did a search...here is my log...
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\syscfg.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\qkshield.exe
C:\WINDOWS\gluzymsx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\syslaunch.exe
C:\WINDOWS\System32\gpilxq.exe
C:\WINDOWS\System32\whpgswqc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\WUCAUMQR.exe
C:\WINDOWS\AST.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topfivesearch.com/search.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://us4.hpwis.com/
R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {5E992438-A034-B673-DE1B-714B6A43FA2D} - C:\WINDOWS\system32\jbtgbrsg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O2 - BHO: (no name) - {FC8FA1D5-ED71-D57F-8B7D-EA116D154A62} - C:\WINDOWS\system32\wykrutdc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [QuikShield] qkshield.exe
O4 - HKLM\..\Run: [uczgdmlh] C:\WINDOWS\gluzymsx.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [w] C:\WINDOWS\System32\gpilxq.exe
O4 - HKLM\..\Run: [feoeoqtj] C:\WINDOWS\System32\whpgswqc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Loader] syscfg.exe
O4 - HKLM\..\Run: [Winsock2 driver] WUCAUMQR.exe
O4 - HKLM\..\Run: [AST] C:\WINDOWS\AST
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Grokster\Grokster.exe /SYSTRAY
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\RunServices: [System Loader] syscfg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] WUCAUMQR.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15f6732aafa7bb93ef20/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d2c89f68a1bb5a/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

IS THERE ANYONE OUT THERE TO HELP ME?!?! :(

Sponsored Link

Ads by Google

Response Number 1

Name: Ray Peate
Date: January 26, 2004 at 11:14:15 Pacific

Reply:

Hi Katee
I believe that's the Spybot worm - known by other names too!
Go to this site
http://rsaisp.com/software.asp
and follow the instructions for RealPhx removal. Only 3 instructions!

Response Number 2

Name: Ray Peate
Date: January 26, 2004 at 11:24:32 Pacific

Reply:

I should have added that what I wrote serves for the "Happy holiday......." only. For more detailed look at your HJT log I leave to others!!

Response Number 3

Name: Tom41
Date: January 26, 2004 at 11:36:50 Pacific

Reply:

Hi Katee,
You have a whole bunch of nasties..W32.Spybot, W32.Gaobot and numerous spyware applications.
Please do the following:
1. Download, unzip and run Process Explorer and end process (kill) on the following items:
C:\WINDOWS\System32\syscfg.exe
C:\WINDOWS\gluzymsx.exe
C:\WINDOWS\System32\gpilxq.exe
C:\WINDOWS\System32\whpgswqc.exe
C:\Program Files\syslaunch.exe
C:\WINDOWS\System32\WUCAUMQR.exe
C:\WINDOWS\AST.exe
Process Explorer
2. Run HT again and check the following items. Doublecheck so as to be sure not to miss one.
Next, close all browser Windows, and have HT 'fix checked'.
You Must restart your computer in Safe Mode when you're done.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topfivesearch.com/search.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
O2 - BHO: (no name) - {5E992438-A034-B673-DE1B-714B6A43FA2D} - C:\WINDOWS\system32\jbtgbrsg.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O2 - BHO: (no name) - {FC8FA1D5-ED71-D57F-8B7D-EA116D154A62} - C:\WINDOWS\system32\wykrutdc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O4 - HKLM\..\Run: [uczgdmlh] C:\WINDOWS\gluzymsx.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [w] C:\WINDOWS\System32\gpilxq.exe
O4 - HKLM\..\Run: [feoeoqtj] C:\WINDOWS\System32\whpgswqc.exe
O4 - HKLM\..\Run: [System Loader] syscfg.exe
O4 - HKLM\..\Run: [Winsock2 driver] WUCAUMQR.exe
O4 - HKLM\..\Run: [AST] C:\WINDOWS\AST
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\RunServices: [System Loader] syscfg.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\RunOnce: [Winsock2 driver] WUCAUMQR.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15f6732aafa7bb93ef20/netzip/RdxIE601.cab
Once in safe mode delete the following:
C:\WINDOWS\gluzymsx.exe
c:\program files\winfavorites folder
C:\Program Files\syslaunch.exe
C:\WINDOWS\Belt.exe
C:\WINDOWS\System32\gpilxq.exe
C:\WINDOWS\System32\whpgswqc.exe
C:\WINDOWS\System32\syscfg.exe
C:\WINDOWS\System32\WUCAUMQR.exe
C:\WINDOWS\AST.exe
C:\WINDOWS\ARUpdate.exe
3. Reboot to Windows and run an onine virus scan here. Delete any files listed as infected.
RAV

Response Number 4

Name: mesich
Date: January 26, 2004 at 12:03:49 Pacific

Reply:

Hi Katee, Ray, Tom, hello everyone,
You can remove these also.
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\
DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\
DDCActiveMenu.exe" -boot
Best Regards,
Mesich

Response Number 5

Name: suzi
Date: January 26, 2004 at 13:45:11 Pacific

Reply:

After you get your computer cleaned out, then read this:
So how did I get infected in the first place?
Get SpywareBlaster and SpywareGuard, beef up your browser security too.

running /sbin/loader acrobat iehelper wkdetect musicmatch jukebox plugins windows 97 usb zero g registry usb c++ keystrokes usb c++ del help vc++ read directory	process kill java disable ddc task manager has been disabled by your administrator virus backweb-8876 backweb-887648 task manager has been disabled virus disable flash ads task manager has been disabled by spyware Help Me.net is wildtangent bad
See More

Sponsored Link

Ads by Google

zone alarm and windows up...

Can't Take Anymore!/CWS/H...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: PLEASE HELP ME!!!(btw,im new..ahhh)

Uh oh, big trouble, please help me

Summary

www.computing.net/answers/security/uh-oh-big-trouble-please-help-me/11260.html

Please Help Me

Summary

www.computing.net/answers/security/please-help-me/12480.html

Winservices, PLEASE HELP ME!!!

Summary

www.computing.net/answers/security/winservices-please-help-me/3793.html

From the Geek Dictionary
PHP - PHP is a widely used scripting language for web pages that can be embedded ...

Ask a Question!

Weekly Poll
Do you think Comcast should have bought NBC?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
chess titans

2 adapters only connect to half of networks

I need a driver

hp pavilion a705w won't boot up

what video card

All Awaiting Reply

Tom's News
Nintendo DS Flash Cards are Legal Says Judge

Go Retro: Dragon's Lair Confirmed for iPhone

Sony's PSPgo May Get External UMD Reader

Report: Teen Internet Addicts Likely to Self-Harm

Violent Games Still Marketed to Kids, Says FTC

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE