Tech Support Forum - View Single Post

Susan528 · 11-26-2006, 04:56 PM

Hi forcifer,

You got rid of the rootkit! Please do the following:

Please set your system to show all files; please see here if you're unsure how to do this.

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Microsoft authenticate service (MsaSvc)
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

Scan with HijackThis. Place a check against each of the following:
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3CB58F01-0510-1033-0415-051006200001}\888.dll (file missing)
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3CB58F01-0510-1033-0415-051006200001}\888.dll (file missing)
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\winstall.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them (if they exist)
C:\WINDOWS\system32\winstall.exe<=file
C:\WINDOWS\system32\msasvc.exe<=file
Exit Explorer, and reboot as normal afterwards.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Copy and paste that information from Kapersky in your next post.

Post (reply) with a fresh HijackThis log and the Kapersky log.

11-26-2006, 04:56 PM	#9 (permalink)
Susan528 Analyst, Security Team Join Date: Nov 2006 Posts: 215 OS: WinXP Pro	Hi forcifer, You got rid of the rootkit! Please do the following: Please set your system to show all files; please see here if you're unsure how to do this. Click on Start>Run and type Services.msc then hit Ok. Scroll down and find the service called: Microsoft authenticate service (MsaSvc) When you find it, double-click on it. In the next window that opens, click the 'Stop' button. Then change the 'Startup Type:' to 'Disabled'. Now press Apply and then Ok and close any open windows. Scan with HijackThis. Place a check against each of the following: O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3CB58F01-0510-1033-0415-051006200001}\888.dll (file missing) O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3CB58F01-0510-1033-0415-051006200001}\888.dll (file missing) O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\winstall.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis. Reboot into Safe Mode: please see here if you are not sure how to do this. Using Windows Explorer, locate the following files/folders, and delete them (if they exist) C:\WINDOWS\system32\winstall.exe<=file C:\WINDOWS\system32\msasvc.exe<=file Exit Explorer, and reboot as normal afterwards. Now run this online scan using Internet Explorer: Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner Next Click on Launch Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Standard Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information from Kapersky in your next post. Post (reply) with a fresh HijackThis log and the Kapersky log. __________________ Proud member of ASAP since 2005 If you feel we've helped you, Please donate to the forum Last edited by Susan528; 11-26-2006 at 04:58 PM.