Tech Support banner

Status
Not open for further replies.
1 - 15 of 15 Posts

·
Registered
Joined
·
10 Posts
Discussion Starter #1
Last night I found out that this computer had gotten some sort of virus that sets the homepage of IE to www.joyiex.com and makes it unchangable. After updating and running Spybot to fix it (and finding no problems) I went about updating Norton so I could do a scan in that for it. When my computer reset to install the updates and went into windows it loaded to background but nothing else was disaplyed--no icons or taskbar. When I tried to crtl+alt+del it said the administrator (which there is none on this computer) had disabled that function.

I then rebooted in safe mode and entered through "administrator" (which wasn't there before). Norton found no problems when I ran the scan through there but ewido fixed up about 300 (mostly cookies). I ran a vb script so now the desktop and taskbar work again.

When I start windows it wants to either run or install "SVOHOST.exe" and "prnit.exe".

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:09:55 PM, on 2/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SVOHOST.exe
C:\Old Hdd\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.joyiex.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.joyiex.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.joyiex.com
F2 - REG:system.ini: Shell=Explorer.exe prnit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Old Hdd\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ctfnom.exe] C:\WINDOWS\SVOHOST.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

·
Manager, The Conversation Pit/Analyst, Security Te
Joined
·
14,513 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Post the log from the Panda scan here.

Make sure you downloaded, installed, updated and ran these programs already - Ad-aware, Spybot and Microsoft AntiSpyware. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\SVOHOST.exe


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.joyiex.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.joyiex.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.joyiex.com
F2 - REG:system.ini: Shell=Explorer.exe prnit.exe
O4 - HKCU\..\Run: [ctfnom.exe] C:\WINDOWS\SVOHOST.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

prnit.exe<<<<<<<<<Do a search for and delete
C:\WINDOWS\SVOHOST.exe

Restart and run a new HijackThis scan. Save the log file and Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it back here.
 

·
Registered
Joined
·
10 Posts
Discussion Starter #3 (Edited)
Okay I did exactly what you said. Here's the result.txt log:

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:41:00 AM, on 3/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Old Hdd\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Old Hdd\Program Files\Winamp\winampa.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{922A611E-3722-47BB-B03A-9E8A079B4DBD}: NameServer = 203.0.178.191
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


End of KRC HijackThis Analyzer Log.
====================================================================



Everything seems to be fixed except the IE homepage has gone from www.joyiex.com to a blank page. It's still unchangable.
 

·
Manager, The Conversation Pit/Analyst, Security Te
Joined
·
14,513 Posts
Easy enough to fix that one.

Open up IE and type whatever address you want for your home page. Then click on tools, then internet options. Then click use current to use that page as your home page. Click apply and OK.

Are you having any problems now that we can help with?
 

·
Registered
Joined
·
10 Posts
Discussion Starter #5
The problem is that all those buttons (use current, use default, use blank) are all unclickable so it's sort of impossible to change the homepage.

Everything else is working perfectly though. Many thanks for your help.
 

·
Registered
Joined
·
10 Posts
Discussion Starter #6
Okay I managed to fix that after going into the registry, but I found another problem.

I still can't use ctrl+alt+del. It still says 'Task Manager has been disabled by your administrator'.
 

·
Registered
Joined
·
6,574 Posts
Download MWaveScan
  • Double-click mwav.exe and unzip it to its default Directory @ C:\Kaspersky
  • Locate "kavupd.exe" in the New Folder and Double Click to Update.
  • If it says the signatures are more than 30 days old, keep trying![*]Keep trying until you get the actual signatures! (it will say "downloading yadda yadda yadda")
  • When you see "Updates downloaded Successfully, please press any key to continue" go ahead, but do not run anything else in this folder...
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Now go to the Kaspersky folder-> Locate and Double Click "mwavscan.com" to launch the MWAV Scanner!
Once opened-> Leave the Default Settings "ticked" and add a "tick" to"Drives"-> this will light up "All Drives"-> Add a "tick" to "Scan all Files"-> Click "Scan Clean" to begin!
This Scan may take Several Hours or more to Complete,Depending on the Hard Drive Size!

Please be sure it is Completed before proceeding!
- Once the Scan has finished, All entries Identified as Infected will displayed in the lower pane! - Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy!
- Open a Blank Notepad Page and Paste the results (Ctrl+V) to it and Save it to your Desktop!
 

·
Registered
Joined
·
10 Posts
Discussion Starter #8
Okay I ran that and I still can't crtl+alt+del.

Here's the log from that scan (which some things taken out that I know aren't the problem, but I can post the full thing if you need that):

File C:\WINDOWS\system32\lsasa.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\Old Hdd\WINOLD\NDNuninstall4_94.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\Old Hdd\WINOLD\TRUMPING.EXE tagged as not-a-virus:NetTool.Win32.ICMPPing. No Action Taken.
File C:\Old Hdd\WINOLD\wt\wtbgm\wtbgmtt.exe tagged as not-a-virus:AdWare.WinAD. No Action Taken.
File C:\Old Hdd\WINOLD\wt\wtupdates\wtbgm\files\1.5.0.134\wtbgmtt.exe tagged as not-a-virus:AdWare.WildTangent.a. No Action Taken.
File C:\Old Hdd\WINOLD\wt\wtupdates\wtbgm\files\1.5.1.019\wtbgmtt.exe tagged as not-a-virus:AdWare.WinAD. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0C4F5123 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\1867702D infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\19214960 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\19386F47 infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\1FE73B93 infected by "Email-Worm.Win32.NetSky.j" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\2486592D infected by "Email-Worm.Win32.NetSky.j" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\24F56CB3 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\2508689E infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\2952569B infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\297F2269 infected by "Email-Worm.Win32.NetSky.j" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\299D1C48 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\29D13C0F infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\29D81008 infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\5E015ED1 infected by "Email-Worm.Win32.Mabutu.a" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\5F171F61 infected by "Trojan-Downloader.Win32.Small.adj" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\69D860CD infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\6D614EEA infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus\Quarantine\70716526.ani infected by "Trojan-Downloader.Win32.Ani.b" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-842925246-963894560-682003330-500\Dc1.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\RECYCLER\S-1-5-21-842925246-963894560-682003330-500\Dc2.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0046865.dll tagged as not-a-virus:AdWare.WinAD. No Action Taken.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0046866.exe infected by "Trojan.Win32.Revop.b" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0046867.exe infected by "Trojan.Win32.Revop.b" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0046868.exe infected by "Trojan.Win32.Revop.b" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0046869.exe infected by "Trojan.Win32.Revop.b" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0046870.exe tagged as not-a-virus:Dialer.Win32.Hacker. No Action Taken.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0046875.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0046876.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0046915.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0046916.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0047132.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0047133.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0047150.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0047151.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0047157.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP259\A0047158.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP261\A0047319.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP261\A0047355.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{42953AEF-AFB3-4567-83E3-036B0E635836}\RP261\A0047356.exe infected by "IM-Worm.Win32.Lewor.n" Virus. Action Taken: File Deleted.
 

·
Registered
Joined
·
6,574 Posts
C:\WINDOWS\system32\lsasa.exe

Delete the above file

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.
 

·
Registered
Joined
·
10 Posts
Discussion Starter #10
I can't delete lsass.exe (access denied, may be write protected or in use) [also, I thought that lsass.exe (with a lower case L) was fine but that Isass.exe (with uppercase I) was the trojan.] And I can't get into task manager to stop it running (if it is in use, HJT says it isn't) if that's the problem.

Here's the log:

Started Scanning
Internet Cookies
Found 'imrworldwide.com' in 'Internet Explorer Cache'
Found 'dist.belnk.com' in 'Internet Explorer Cache'
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'bluestreak.com' in 'Internet Explorer Cache'
Found 'statcounter.com' in 'Internet Explorer Cache'
Found 'z1.adserver.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'linksynergy.com' in 'Internet Explorer Cache'
Found 'belnk.com' in 'Internet Explorer Cache'
Found 'go.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Magnet'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
Internet URL Shortcuts
Files and Directories
Found 'GatorPdpSetup.log' in 'C:\Old Hdd\WINOLD'
Found 'NDNuninstall4_94.exe' in 'C:\Old Hdd\WINOLD'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Old Hdd\WINOLD\GatorPdpSetup.log' in shortcut areas.
Checking for 'C:\Old Hdd\WINOLD\GatorPdpSetup.log' in startup areas.
Cleaning 'C:\Old Hdd\WINOLD\GatorPdpSetup.log'
Checking for 'C:\Old Hdd\WINOLD\NDNuninstall4_94.exe' in shortcut areas.
Checking for 'C:\Old Hdd\WINOLD\NDNuninstall4_94.exe' in startup areas.
Cleaning 'C:\Old Hdd\WINOLD\NDNuninstall4_94.exe'
Finished Cleaning
 

·
Registered
Joined
·
6,574 Posts
I asked you to delete: C:\WINDOWS\system32\lsasa.exe
not lsass.exe

To avoide user error:

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINDOWS\system32\lsasa.exe

Have you tried right clicking near your desktop clock and choosing 'Task Manager'?

Either way, lets get your Task Manager working.

* Open Registry Editor (Regedit.exe) and navigate to:

HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System

* In the right-pane, double-click DisableTaskMgr and set it's data to 0
 

·
Registered
Joined
·
10 Posts
Discussion Starter #12
Okay I did exactly what you said.

lsass.exe is still there. For some reason it won't delete it. The 'Unregister .dll Before Deleting' option was grayed out.

And I still can't get into Task Manager (and no, I can't get in by right-clicking near the clock--it's grayed out).
 

·
Registered
Joined
·
10 Posts
Discussion Starter #14
I can't run the Panda Active Scan for some reason (never have been able). Whenever I try it just closes every IE window about a minute into the scan.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:46:21 AM, on 10/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Old Hdd\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Old Hdd\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{922A611E-3722-47BB-B03A-9E8A079B4DBD}: NameServer = 203.0.178.191
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello,

This time, let's run Mwav on it's own:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

1. Reboot into Safe Mode.
2. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
3. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
4. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use CTRL C on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
 
1 - 15 of 15 Posts
Status
Not open for further replies.
Top