something evil is in this PC! Anyone know Hijackthis?

[GasX]

a good portion of webpages will not load or will partially load before giving an error. I am thinking that its somesort of spyware invasion, but I have run Spybot, Adaware, CWShredder and hijackthis and purged my registry (to the best of my ability). Sadly, one of the pages I can't load is spywareinfo.com so I can't register and post my hijackthis log for analysis... :|

Can someone post it or tell me what foul evil thing is doing this?

p.s. I know it has something to do with Golden Casino...

Log:

Logfile of HijackThis v1.97.6
Scan saved at 1:36:04 PM, on 11/15/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\gvpcudcr.exe
C:\WINDOWS\Cyb2k.exe
C:\WINDOWS\System32\ycgumenf.exe
C:\WINDOWS\System32\pxfgqhgb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hppapml0.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Peter Wilding\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/comcast.html
R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [ylgrrqta] C:\WINDOWS\gvpcudcr.exe
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\ycgumenf.exe
O4 - HKLM\..\Run: [gpsxxkvc] C:\WINDOWS\System32\pxfgqhgb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

 

[Rainsford]

The way I figure stuff like this out (usually) is google all the running processes that I don't recognize and see what comes up. I'd give that a try. If that doesn't turn up anything, just kill off the processes one by one and see when you get a working computer back.

Also, cyb2k.exe is cyber sitter, do you mean to have that installed?

 

[GasX]

Originally posted by: Rainsford
The way I figure stuff like this out (usually) is google all the running processes that I don't recognize and see what comes up. I'd give that a try. If that doesn't turn up anything, just kill off the processes one by one and see when you get a working computer back.

Also, cyb2k.exe is cyber sitter, do you mean to have that installed?

It's my dad's PC and yes. Is that in itself evil?

 

[MartyMcFly3]

yeah i had that problem recently too... fortunately Spybot got rid of it, but internet explorer always redirected AOL.com to another site... finally at around 1 or 2 this morning i gave up and downloaded Mozilla Firebird...

 

[GasX]

Originally posted by: MartyMcFly3
yeah i had that problem recently too... fortunately Spybot got rid of it, but internet explorer always redirected AOL.com to another site... finally at around 1 or 2 this morning i gave up and downloaded Mozilla Firebird...

that wont work. My parents are technophobic enough without me telling them to learn a new browser...

 

[TechnoKid]

Your DNS server may be out...sometimes it happens and you can't load certain webpages.

Also, there is a trojan out there that prevents you from connecting to certain pages. Try running antvirus with latest definitions.

 

[FatJackSprat]

Try this site Task List Programs

 

[dighn]

these look REALLY suspcious:

O4 - HKLM\..\Run: [ylgrrqta] C:\WINDOWS\gvpcudcr.exe
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\ycgumenf.exe
O4 - HKLM\..\Run: [gpsxxkvc] C:\WINDOWS\System32\pxfgqhgb.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe


why don't you just reformat the computer?

 

[vi edit]

Look at the hosts file and see if there is anything suspicious in there.

It's located in: C:\WINNT\system32\drivers\etc

Unless you specifically put anything in there yourself, it shoud look like this:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

 

[GasX]

host files is clean. I disabled those suspicious files in msconfig and the casino pop-up is gone.

Unfortunately, web pages are still failing to load... :|

 

[MrYogi]

ad-aware
spybot
spyware blaster

 

[GasX]

Originally posted by: MrYogi
ad-aware
spybot
spyware blaster

I did all that stuff and some...

Adaware removed 100+ items :Q
Spybot killed a bunch too
CWShredder keeps removing Madfinder
Norton removed a trojan
I used Hijackthis to clean up things
I purged the registry of fishy looking items...
I even defragged

The computer is leaner, meaner, faster - it just refuses to load certain pages. ACTUALLY it sometimes seems to start loading before giving the "can't load page" message...

 

[GasX]

note - when I submitted the above post, IE closed...