Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HijackThis Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HijackThis Log

Unread postby KevC » December 20th, 2004, 4:24 pm

Hi Chris

Hope this makes sense



Logfile of HijackThis v1.99.0
Scan saved at 20:00:31, on 20/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\win32usb.exe
C:\WINDOWS\System32\svmhost.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\dmsvc32.exe
C:\WINDOWS\System32\CSS.exe
C:\m.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taksmgr.exe
C:\WINDOWS\System32\msa.exe
C:\WINDOWS\System32\cosine.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Documents and Settings\Kev.CRUIKS1\Local Settings\Temp\Temporary Directory 1 for hijackthis1990.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Dmsvc32] dmsvc32.exe
O4 - HKLM\..\Run: [Counter Strike: Source] CSS.exe
O4 - HKLM\..\Run: [USB Device] win32usb.exe
O4 - HKLM\..\Run: [Start Upping] taksmgr.exe
O4 - HKLM\..\Run: [REGRUN] C:\m.exe
O4 - HKLM\..\Run: [68BsY] c:\documents and settings\kev.cruiks1\local settings\temp\68BsY.exe
O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunServices: [Dmsvc32] dmsvc32.exe
O4 - HKLM\..\RunServices: [Counter Strike: Source] CSS.exe
O4 - HKLM\..\RunServices: [USB Device] win32usb.exe
O4 - HKLM\..\RunServices: [Start Upping] taksmgr.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunOnce: [USB Device] win32usb.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] svmhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [USB Device] win32usb.exe
O4 - HKCU\..\Run: [Start Upping] taksmgr.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKCU\..\RunOnce: [USB Device] win32usb.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] svmhost.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 2548618769
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
KevC
Active Member
 
Posts: 5
Joined: December 20th, 2004, 4:09 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » December 20th, 2004, 7:34 pm

Hi Kevin.

Welcome to Malware Removal.

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. Please delete the old copy (including the zip copy) so it can't be used.
If required a tutorial is here = Hijackthis Folder Tutorial
======================================
You have a lot of trojan type virius's - so I suggest you load a speciallist trojan hunter program - they have a 30 day trial offer at http://www.trojanhunter.com Install update the signature files and set it scanning.

Then reboot.

Because you will have run trojan hunter some of the items listed below may alrewady be gone - hopefully, If not this will remove them.

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get taskmanager. Find these processes and 'end task' them.
OR
Use the process viewer in Hijackthis, Config, Misc Tools, Process Viewer, to unload the following running processes.

(They MAY not be running)

m.exe
68BsY.exe
dmsvc32.exe
CSS.exe
taksmgr.exe
msa.exe
cosine.exe
win32usb.exe
svmhost.exe

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Dmsvc32] dmsvc32.exe
O4 - HKLM\..\Run: [Counter Strike: Source] CSS.exe
O4 - HKLM\..\Run: [USB Device] win32usb.exe
O4 - HKLM\..\Run: [Start Upping] taksmgr.exe
O4 - HKLM\..\Run: [REGRUN] C:\m.exe
O4 - HKLM\..\Run: [68BsY] c:\documents and settings\kev.cruiks1\local settings\temp\68BsY.exe
O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunServices: [Dmsvc32] dmsvc32.exe
O4 - HKLM\..\RunServices: [Counter Strike: Source] CSS.exe
O4 - HKLM\..\RunServices: [USB Device] win32usb.exe
O4 - HKLM\..\RunServices: [Start Upping] taksmgr.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunOnce: [USB Device] win32usb.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] svmhost.exe
O4 - HKCU\..\Run: [USB Device] win32usb.exe
O4 - HKCU\..\Run: [Start Upping] taksmgr.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKCU\..\RunOnce: [USB Device] win32usb.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] svmhost.exe

Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-
NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Or items 8 & 9 from this link :
http://www.russelltexas.com/malware/faqhijackthis.htm )

C:\WINDOWS\System32\dmsvc32.exe
C:\WINDOWS\System32\CSS.exe
C:\WINDOWS\System32\win32usb.exe
C:\WINDOWS\System32\taksmgr.exe
C:\m.exe
c:\documents and settings\kev.cruiks1\local settings\temp\68BsY.exe
C:\WINDOWS\System32\msa.exe
C:\WINDOWS\System32\cosine.exe
C:\WINDOWS\System32\svmhost.exe

Then Reboot and post a fresh log for me to check.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

New Log

Unread postby KevC » December 21st, 2004, 6:40 pm

HI Chris

Tried to download trojanhunter but kept telling me that my trial period had expired.

Went through and removed all of the code you suggested

Computer worked like a dream much faster booted up very quickly

BUT

Then tried trojanhunter again and I think I have downloaded some more spyware

MSREPAIR.EXE using 99% processor power until I stopped it

Is now slow rebooting etc, but at moment no filth coming through when connected to the net

Attach herewith fresh hijack this log for your comment

Mant THanks


Kev

Logfile of HijackThis v1.99.0
Scan saved at 22:31:40, on 21/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\WINDOWS\System32\msrepair.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\rdmthius.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\program files\180solutions\sais.exe
C:\WINDOWS\pixupkj.exe
C:\PROGRA~1\COMMON~1\tsa\tsl.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\aamklt.exe
O4 - HKLM\..\Run: [msrepair] msrepair.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sFSdsG] C:\WINDOWS\rdmthius.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [pixupkj] C:\WINDOWS\pixupkj.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\RunServices: [msrepair] msrepair.exe
O4 - HKLM\..\RunOnce: [msrepair] msrepair.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msrepair] msrepair.exe
O4 - HKCU\..\RunOnce: [msrepair] msrepair.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 2548618769
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
KevC
Active Member
 
Posts: 5
Joined: December 20th, 2004, 4:09 pm

Unread postby ChrisRLG » December 22nd, 2004, 4:56 am

Yep - but not the same ones.

OK you need to activate the windows firewall before going back on the internet - see the link to one of my sites - fiewall section for instructions - a better firewal would be the ZoneAlarm one - Don't have two of them running, this is one case where double protection can give problems.
http://www.cjwd.demon.co.uk/compsafetyonline.html

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get taskmanager. Find these processes and 'end task' them.
OR
Use the process viewer in Hijackthis, Config, Misc Tools, Process Viewer, to unload the following running processes.


istsvc.exe
aamklt.exe
tsl.exe
optimize.exe"
sais.exe
msrepair.exe
WinServAd.exe
rdmthius.exe
pixupkj.exe

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\aamklt.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [msrepair] msrepair.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [sFSdsG] C:\WINDOWS\rdmthius.exe
O4 - HKLM\..\Run: [pixupkj] C:\WINDOWS\pixupkj.exe
O4 - HKLM\..\RunServices: [msrepair] msrepair.exe
O4 - HKLM\..\RunOnce: [msrepair] msrepair.exe
O4 - HKCU\..\Run: [msrepair] msrepair.exe
O4 - HKCU\..\RunOnce: [msrepair] msrepair.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-
NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Or items 8 & 9 from this link :
http://www.russelltexas.com/malware/faqhijackthis.htm )

Folder > C:\Program Files\ISTsvc\
File > > C:\WINDOWS\System32\aamklt.exe
Folder > C:\PROGRA~1\COMMON~1\tsa\
Folder > C:\Program Files\Internet Optimizer\
Folder > c:\program files\180solutions\
File > > C:\WINDOWS\System32\msrepair.exe
Folder > C:\Program Files\Windows ServeAd\
File > > C:\WINDOWS\rdmthius.exe
File > > C:\WINDOWS\pixupkj.exe
Folder > C:\Program Files\SideFind\

Then Reboot and post a fresh log for me to check.

Don't go on the internet except to go to this website to post your new log for me. If you are using outlook express - turn off the preview pane in menu, view, layout.

I will give a list of programs to install when you are clean.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

3rd Time Lucky !

Unread postby KevC » December 29th, 2004, 5:27 pm

HI Chris

Please find attached my log after cleansing you advised

Havnt yet attached to the net

My infected PC doesnt yet have SP2 and hasnt got updated virus defs yet as havnt been able to log on due to infection

Hope you had a good Christmas & have a great new year

Regards


Kevin

Logfile of HijackThis v1.99.0
Scan saved at 21:23:23, on 29/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 2548618769
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
KevC
Active Member
 
Posts: 5
Joined: December 20th, 2004, 4:09 pm

Unread postby ChrisRLG » December 29th, 2004, 5:44 pm

Hi kev.

Yep a nice christmas break - not back till the new year - But I expect you have had to go back before that.

Here is my all clean speech - standard issue - follow that should see you safer - although nothing can make it 100% safe.

=========================
This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to enable and re enable system restore here:
    Managing Windows Millennium System Restore
    or
    Windows XP System Restore Guide
    re-enable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
  4. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  8. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

May your God go with you..
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

So Near Yet So Far

Unread postby KevC » December 31st, 2004, 8:43 am

Hi Chris

Managed to log on and download virus defs update from Symantec. During this download it got progressively slower with lots of modem activity

Ran a virus scan and lots of infection mainly W32.KorGo. AB and several others including w32.IRCBot, w32.Spybot Worm

Now cleansed of virus's but seem to have some more spyware. Log attacged.

Downloaded XoftSpy and ran a scan which shows IBIS toolbar in the Registry and Windows Ad Service in ide21201.vxd, Lavasoft and spybot dont detect this.

Symantec issue dire warnings about back doors being opened etc and reinstalling windows and passwords. I wonder if I have been got at as I can no longer access the infected PC over my home network, keeps asking for a password which I have never installed

Clearly still something causing problems, over to you

Happy New Year !

Kevin


Logfile of HijackThis v1.99.0
Scan saved at 12:20:05, on 31/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\smsss.exe
C:\WINDOWS\System32\winmp.exe
C:\WINDOWS\System32\hess.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [start uploading] smsss.exe
O4 - HKLM\..\Run: [MSIdll] winmp.exe
O4 - HKLM\..\Run: [wzservice] hess.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKLM\..\RunServices: [MSIdll] winmp.exe
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\Run: [NvCplScan] msc32.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 2548618769
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
KevC
Active Member
 
Posts: 5
Joined: December 20th, 2004, 4:09 pm

Unread postby ChrisRLG » December 31st, 2004, 11:42 am

Hi kev - you do seem to find them - another NEW batch.

Boot to safe mode.

check in taskmanager that none of those programs below are running - if they are endtask them.

In hijackthis :-

O4 - HKLM\..\Run: [start uploading] smsss.exe
O4 - HKLM\..\Run: [MSIdll] winmp.exe
O4 - HKLM\..\Run: [wzservice] hess.exe
O4 - HKLM\..\Run: [NvCplScan] msc32.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKLM\..\RunServices: [MSIdll] winmp.exe
O4 - HKLM\..\RunServices: [NvCplScan] msc32.exe
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\Run: [NvCplScan] msc32.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe

Check those in hjtackthis and with ALL other windows closed, fix checked.

Then in windows explorer find and delete these files.

C:\WINDOWS\System32\smsss.exe
C:\WINDOWS\System32\winmp.exe
C:\WINDOWS\System32\hess.exe
msc32.exe (probably in the same folder - but you may need to search for it)

You must have that firewall active before you go on the net. :)

One other question - do you have more that one account on this computer. More than one loggin name. If you do - I need a HJT log from each username.

Advice - take a copy of Hijachthis log - and watch for any new additions to it, when you run it the next time. If you have added a new program that starts up with the computer it will add itself to that list - any others are suspect. The O4 lines are the starting programs - I have left just :-

BT Voyager - Your DSL modem.
Symantec Shared - your Anti-Virus
CTFMON.EXE - language setting for windows. - you can remove if you wish.
MSMSGS - windows messenger - you can remove if you wish.

the O23's are also startups - but yours are all for your AV.

Post back with that new HJT log - and get those programs - Spybot (With teatimer option) and spywareguard installed. PS they will both add items to the startups :)

The teatimer option will monitor all those items in the HJT loogs (or the registry) and warn you if something is being added - like an early warning system :)
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Hoorah!!!

Unread postby KevC » January 2nd, 2005, 12:00 pm

Hi Chris

I think we are there, upgraded XP with SP2 all ok

Many Many Thanks for all your help, I owe you one

REgards


Kevin
KevC
Active Member
 
Posts: 5
Joined: December 20th, 2004, 4:09 pm

Unread postby ChrisRLG » January 2nd, 2005, 3:33 pm

I would like to see a last HJT log when you have time - its noce to complete tis type of thread so it looks conmplete, and I would be happer seeing it clean.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 483 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware