Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virus,malware n spyware spreading in my office network.HELP!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virus,malware n spyware spreading in my office network.HELP!

Unread postby longjohn » July 12th, 2007, 5:26 am

Hello and good day to you..
I am an administrator in my office..a small firm without those expensive anti virus software/server. About 20 coms are connected to the network and all of them are capable of

1. accessing data files in the server
2. P2P, messenger services
3. browsing internet

Recently one of the computer is infected with worm W32.Sonahad.AI (the symptoms match the most of its description). Shortly after that at least 5 other coms are infected as well. The othe 15 is undetermined for this time being (if the r infected, it's not too serious).

Anyway one brand new CPU arrive for the new staff. I plug it into the network and the staff runs all the services above. I've installed AVG anti-virus free edition on the com and assumed it is safe to plug it into the network. Below is the HJT log of the com after being plug into the network. Please advise if this com has been infected. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:45 PM, on 12/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
\Starkserver\y\Adli\Apps\HiJackThis\HijackThis.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F778EB5B-ABCC-431D-91FA-D296B5295C43}: NameServer = 202.188.0.136,202.188.0.133
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 2945 bytes
longjohn
Active Member
 
Posts: 2
Joined: July 12th, 2007, 5:10 am
Advertisement
Register to Remove

Unread postby ndmmxiaomayi » July 15th, 2007, 4:26 am

Hi longjohn. :)

Welcome to Malware Removal Forum. My name is mayi and I will be helping you. As I am still an undergraduate, I will need my fixes checked before posting back to you. Thank you for your patience.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby ndmmxiaomayi » July 15th, 2007, 7:56 am

Hi longjohn,

Please disconnect this computer from the network to prevent it from getting infected.

Also, do you use the Messenger to receive network messages? If yes, please delete this line from Step 3: sc config messenger start= demand before saving and running the stop.bat file.

Step 1

Please rename HijackThis.exe to dumb.exe by doing the following:

  1. Navigate to Starkserver\y\Adli\Apps\HiJackThis and right click on HijackThis.exe. Select Rename.
  2. Type in dumb. Press Enter.
  3. Double click on dumb to run it. Select Do a system scan and save a logfile. Post this log in your next reply.
Do not close HijackThis yet.

  1. Click on the Config... button at the bottom right hand corner.
  2. At the top, click on the Misc Tools button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this list in your next reply.

Step 2

Please uninstall Yahoo! Messenger by following the following:

  1. Go to Start > Control Panel. Double click on Add/Remove Programs.
  2. Locate Yahoo! Messenger and click on Change/Remove to uninstall it.
  3. Once done, close Add/Remove Programs and Control Panel.

Step 3

Please copy the following in the Code box into Notepad.

Code: Select all
sc stop messenger
sc config messenger start= demand


Click on File > Save As....

In the File Name box, copy and paste in stop.bat
In the Save as type box, select All Files from the drop-down list.

Click Save.

Double click on stop.bat. A Command Prompt window will open and close quickly. It is normal.

After that, restart your computer.

In your next reply, please post:

  1. A new HijackThis log
  2. The Uninstall list
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby longjohn » July 15th, 2007, 10:32 am

Hello Mayi, my name's Adli and thanx for yr reply..
Due to late respond, I took my iniative to solve the problem my self and so far it worked. I will post again should I have problems arise. Thanks again..
longjohn
Active Member
 
Posts: 2
Joined: July 12th, 2007, 5:10 am

Unread postby Elrond » July 15th, 2007, 12:41 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware