Please help, viruses

1179 Views 1 Reply 2 Participants Last post by tetonbob, Jan 29, 2007

inglima8

Discussion Starter · Jan 28, 2007

Hi, I could really use some assistance with getting rid of a virus that is attacking my system. Please help.

~Inglima8

Logfile of HijackThis v1.99.1
Scan saved at 4:30:27 PM, on 1/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RxMon.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\lnwin.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Embarq TotalAccess\TaskPanl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\ntvdm.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\Embarq TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: EMBARQ Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\Embarq TotalAccess\Toolbar\Toolbar\Toolbar.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINNT\system32\lnwin.exe
O4 - HKCU\..\Run: [Brct] "C:\DOCUME~1\ADMINI~1\APPLIC~1\APPATC~1\msdtc.exe" -vt wnew
O4 - HKCU\..\Run: [Kmzbro] C:\Documents and Settings\Administrator\Application Data\a?sembly\?explore.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\Embarq TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\Embarq TotalAccess\Toolbar\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A618972E-6D72-4BB0-B870-7E48AB99FFCB}: NameServer = 202.157.163.157
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RxMon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

See less See more

Save

Status: Not open for further replies.

1 - 2 of 2 Posts

tetonbob

· #2 · Jan 29, 2007 (Edited)

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download combofix.exe to your desktop. We'll use this later.

---------------------------------------------------------------------------------------------

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\Run: [lnwin.exe] C:\WINNT\system32\lnwin.exe
O4 - HKCU\..\Run: [Brct] "C:\DOCUME~1\ADMINI~1\APPLIC~1\APPATC~1\msdtc.exe" -vt wnew
O4 - HKCU\..\Run: [Kmzbro] C:\Documents and Settings\Administrator\Application Data\a?sembly\?explore.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205 <<<<Note!!! Only these O17 entries I have listed. There is one legit O17 entry in your log.

Click FIX CHECKED. Close HijackThis.

At the end of this fix, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ).

**If you receive an error message while trying to run FixWareout, copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder, and run FixWareout again.
----------------------------------------------------------------------------------------------------------

Run ComboFix

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Please go to: VirusTotal

At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD:

C:\WINNT\system32\lnwin.exe (or simply copy/paste the file path into the box next to the Browse button, then Click Send.)
Click "Open".
Then click the "Send" button at the top of the VirusTotal page.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply together with a new HijackThis log, the results from combofix, located at C:\ComboFix.txt, and the results from FixWareout, located at C:\FixWareout\report.txt.

---------------------------------------------------------------------------------------------

See less See more

Save

1 - 2 of 2 Posts

Status: Not open for further replies.

Top Contributors this Month