Norton will not auto protect.
no internet access to Norton or Macafee.
NAV live update not able to connect to server.
other sites OK
Window's automatic updates option is "grayed out" not able to select it.
I have attached a text file from hijackthis.

NAV has detected W32.HLLW.Gaobot.GEN, W32.Korgo.V, Trojan.Qhosts, W32.Spybot.Worm

I have followed all NAV removal instructions for the above worms

Any help is appreciated!

sorry, this is the pasted version....

Logfile of HijackThis v1.97.7
Scan saved at 12:33:25 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\netclnt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\csmss.exe
C:\Program Files\Apoint2K\Apntex.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\ogjbseu.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [MsgApi] C:\WINDOWS\System32\csmss.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\ypmgo.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37625.277037037

Hi duckone,

Download Hoster from here:
http://members.aol.com/toadbee/hoster.zip
Unzip, install the program and run it.
Press *Restore Original Hosts* and press OK*
Exit Hoster, and you should now be able to access the sites you need.

You still have at least one trojan running it looks like (possibly more)

Do this first:

1. Make a copy of these instructions so you have them handy as the next steps need to be done in safe mode with IE closed.

2. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

3. Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Scan with HijackThis, put a check next to each of the following entries and press *fix checked*

O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\ogjbseu.exe

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\Run: [MsgApi] C:\WINDOWS\System32\csmss.exe

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\ypmgo.exe

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe

O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe

O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

while still in SAFE MODE, search for and delete any of the following files found:

C:\WINDOWS\System32\ogjbseu.exe

scrgrd.exe

C:\WINDOWS\System32\csmss.exe

svxhost.exe

C:\WINDOWS\System32\ypmgo.exe
.............................
Now, reboot back into normal Mode. Update your NAV program and do a full system scan.

Make sure you go to Windows update and set all the Security Updates recommended for your Operating System and IE as soon as possible.
http://v4.windowsupdate.microsoft.com/en/default.asp

Once you are all done, please scan once more with HijackThis and post a fresh log please. Let us know how you are doing :)

CJ, thank you for the response. as instructed I have followed your advise. Here is the next hijack this file.
Also, It seems Norton still boots with auto protect disabled, also XP auto update is greyed out. I am not able to select it.

Logfile of HijackThis v1.97.7
Scan saved at 5:32:56 PM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\netclnt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Apoint2K\Apntex.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37625.277037037

Use HJT to checkmark this item and press *fix checked*

O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe

Reboot and delete this file (if found)

scrgrd.exe

How did the online AV scan go? Did it find any infected files?

Norton disabled - you may need to uninstall/reinstall the program as it may have been tamped with by the virus. Am not sure how to reactivate the auto-update for Windows...I'll check around to see what I can find. Again this is probably the result of the virus if that is a recent development.

Can you get to Windows onine Update and scan to see if you need any?
http://v4.windowsupdate.microsoft.com/en/default.asp

Thank you so much! It seems all Trojans and virus's are gone. I am still experiencing some lingering after affects.
Windows auto update is disabled and greyed out. I can run regsvr32 wuaveng.dll and enable auto update, however upon a system restart, sometimes auto update will be disabled again.

The other issued is Norton antivirus 2002 auto protect. sometimes it is disabled at start-up. Options list it as auto protect upon start up but it seems to have a mind of it's own.
When auto protect is off after reboot, attempting to turn auto protect on, a popup appears with navapsvc in the blue bar and a message "Service could not be deleted"
The Norton came preloaded from Toshiba (no disk) . If a reload is recommended, I can purchase it locally.

Any thoughts are appreciated.

Most people got whacked with that Gaobot because they did not have their WinXP patched in the first place..

These links may help explain it to you and also give you some ideas on how to fix all the rest that still might not be working correctly.


http://help.cwru.edu/news/20040426-1749

http://apscnlan.k12.ar.us/trendbear.htm



http://forum.gladiator-antivirus.com/index...showtopic=14080


http://forum.gladiator-antivirus.com/index...showtopic=14018

also it might not be a bad idea to download and run the fixgaobot tool mentioned in those threads.

Edit: fixed broken link