Tech Support banner

Status
Not open for further replies.
1 - 20 of 28 Posts

·
Registered
Joined
·
16 Posts
Discussion Starter #1
hello, i hope someone can help me i dont know too much about computers, but ill try and explain as best i can what has happened to my machine, i am running windows XP Sp 1 , and everytime i open internet explorer my system starts freezing up bit by bit until i cannont use it anymore, i have noticed that my internet connection continues to upload and download stuff and wont let me disconnect , when i try to disconnect from the net, the system freezes, i have been looking around to try and find out what the prob was but i could not find it so i have re-installed windows after formating my hard drive, i have had a error come up with my lsass.exe saying code 128 and then re-starting the pc after 60 seconds and i am at a loss of what to do, so i downloaded hijackthis and have run it, the following is a copy of the log,
please help someone i have no idea how to fix this. :dead:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:24, on 02/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\IEXPL0RE.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\System32\IEXPL0RE.EXE
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
G:\apps\hijackthis\HijackThis.exe

O1 - Hosts: 202.71.111.205 www.halifax-online.co.uk
O1 - Hosts: 202.71.111.205 ibank.barclays.co.uk
O1 - Hosts: 202.71.111.205 online.lloydstsb.co.uk
O1 - Hosts: 202.71.111.205 online-business.lloydstsb.co.uk
O1 - Hosts: 202.71.111.205 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 202.71.111.205 www.nwolb.com
O1 - Hosts: 202.71.111.205 banesnet.banesto.es
O1 - Hosts: 202.71.111.205 extranet.banesto.es
O1 - Hosts: 202.71.111.205 ebanking.bccbrescia.it
O1 - Hosts: 202.71.111.205 www.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 202.71.111.205 www.rbsdigital.com
O1 - Hosts: 202.71.111.205 oi.cajamadrid.es
O1 - Hosts: 202.71.111.205 bancae.caixapenedes.com
O1 - Hosts: 202.71.111.205 banking.postbank.de
O1 - Hosts: 202.71.111.205 meine.deutsche-bank.de
O1 - Hosts: 202.71.111.205 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 202.71.111.205 ibank.cahoot.com
O1 - Hosts: 202.71.111.205 webbank.openplan.co.uk
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\RunServices: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKCU\..\RunServices: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - Startup: Resume Windows Update Installation.lnk = ?
O4 - Global Startup: Microsoft AntiSpyware.lnk = C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128108895376
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128169366578
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

You do not appear to have an anti-virus application installed on this machine. Let's start off by getting you a free but yet effective antivirus program. Please choose one from any of these 3 programs which are free for home use:

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp.exe - Install.

Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

DelO15Domains.inf - Right click on this & choose "Save As..." DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

O4 - HKLM\..\Run: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKLM\..\RunServices: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKCU\..\Run: [Micrsoft Internet Explorer] IEXPL0RE.EXE
O4 - HKCU\..\RunServices: [Micrsoft Internet Explorer] IEXPL0RE.EXE



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files:
  • C:\WINDOWS\System32\IEXPL0RE.EXE

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Perform an online scan with Internet Explorer at one of the following sites:
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


In your next post, please include fresh logs from:
  1. HiJackThis
    [*] Online scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 

·
Registered
Joined
·
16 Posts
Discussion Starter #3
Thank you for the quick reply, ok here is what is happening

i hve downloaded and installed a copy of AVG antivirus and the first thing i done was run it , it found 2 virus/trogen things one was called Trojan horse IRC/BackDoor.SdBot.74.bp and the virus was called I-Worm/maslan.C , i deleted these 2 objects the file names and locations of them were as follows

c:\windows\system32\wvsvc.exe
c:\windows\system32\____u

i then continued with your instructions.

my pc locked up a few times so i have had to repeat the instructions until they were all completed in order activescan found 10 viruses and 1 spyware it removed the viruses but said no to the spyware removal and i ran activescan twice just to be sure everything had been removed the logs are as follows.

Activescan -

Incident Status Location

Adware:adware/exactsearch No disinfected Windows Registry
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\a
Virus:Trj/Agent.ADA Disinfected C:\WINDOWS\system32\gehidsy.exe
Virus:Bck/Sdbot.FDX Disinfected C:\WINDOWS\system32\msnt.exe
Virus:W32/Sdbot.EUC.worm Disinfected C:\WINDOWS\system32\TFTP1164
Virus:W32/Sdbot.EUC.worm Disinfected C:\WINDOWS\system32\TFTP144
Virus:W32/Sdbot.EUC.worm Disinfected C:\WINDOWS\system32\TFTP1940
Virus:W32/Sdbot.EUC.worm Disinfected C:\WINDOWS\system32\TFTP1960
Virus:W32/Sdbot.EUC.worm Disinfected C:\WINDOWS\system32\TFTP276
Virus:W32/Gaobot.BJY.worm Disinfected C:\WINDOWS\system32\TFTP3580
Virus:W32/Gaobot.BJY.worm Disinfected C:\WINDOWS\system32\TFTP3956
and Hijackthis-

Logfile of HijackThis v1.99.1
Scan saved at 14:43:31, on 02/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Documents and Settings\Geoff\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] msnt.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] msnt.exe
O4 - Global Startup: Microsoft AntiSpyware.lnk = C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128108895376
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128169366578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

thx again for helpng me out i had no idea i had so many viruses.
 

·
Registered
Joined
·
16 Posts
Discussion Starter #4
the pc had seemed to be running somewhat faster and not crashing now however i have run AVG anti virus and 2 more virus/trojans have shown up they are a trojan called Collected 5.L and another trojan IRC/BackDoor.SdBot.LOZ.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Have HijackThese fix these:

O4 - HKLM\..\Run: [Compaq Service Drivers] msnt.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] msnt.exe



Then delete this file, if still present:

C:\Windows\system32\msnt.exe


You need to perform another online scan at Kaspersky.
Show me a new log & the Kaspersky report.
 

·
Registered
Joined
·
16 Posts
Discussion Starter #6
sorry the major probs continue

i tryed doing as you asked but during the kapersky scan AVG anti virus detected more viruses so i healed the files and they just came back so i deleted them and i got a lsass error again , my pc said it would shut down in 60 seconds and when it rebooted it had a strange start up screen that said "windows is starting up" where as normally it says "welcome" and the pc now freezes here , i used my XP disc to repair windows and i tried again but i just get the same thing happening each time , thanks for the help :)
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
The next time your system tries to shutdown...
Go to Start > Run - type shutdown -a <Press Enter> (that would abort the shutdown)

You do not appear to have a firewall. Please install one. A tutorial on Firewalls and a listing of some available ones can be found here.
The firewall would reduce your risk of further infections from worms.

After you have done so, continue the Kaspersky scan but switch off the real time scanner of your Antivirus. Otherwise, it may interfere with the Kaspersky scan.

When you have finished, please post the resultant log along with a new HJT log.

<Edit> Better show your me your current state by posting a HJT log now
 

·
Registered
Joined
·
16 Posts
Discussion Starter #8 (Edited)
thx

thx subs , i will follow these instructions as soon as windows has repaired it says it will take another half hour to repair .

and i have downloaded and am going to install avg with firewall
 

·
Registered
Joined
·
16 Posts
Discussion Starter #9
lots of information for you ;)

i have got a HJT log made straight after i ran windows xp repair using the original CD

Logfile of HijackThis v1.99.1
Scan saved at 16:20:03, on 08/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Documents and Settings\Geoff\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - Global Startup: Microsoft AntiSpyware.lnk = C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128108895376
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128169366578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe

i have also run a ad-aware scan and found 9 items relating to Alexa which i deleted.

thank you again for you continued assistance
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
If you have done a repair install, they will be no active malware processes in your system.
But you may have dormant infections.
A scan with Kaspersky & ad-aware wil ferret those out.

I strongly suspect that there are worms in your network. It may be your local area network, if you have more than one computer in your premises, or the network you connect to get onto the internet. That's why I asked you to get a firewall. You should also change your Windows password to something that isnt that obvious.

Do the scan at Kaspersky now. But remember to disable AVG when you're doing that.
Post that log when it's done.
 

·
Registered
Joined
·
16 Posts
Discussion Starter #11
kaspersky report

here you go

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, October 08, 2005 17:07:04
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 8/10/2005
Kaspersky Anti-Virus database records: 153007
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 31831
Number of viruses found: 5
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 1434 sec

Infected Object Name - Virus Name
C:\WINDOWS\spoollv.exe Infected: Backdoor.Win32.SdBot.aad
C:\WINDOWS\system32\.pif Infected: Trojan-Downloader.BAT.Ftp.w
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab
C:\WINDOWS\system32\mmiww.exe Infected: Backdoor.Win32.PoeBot.d
C:\WINDOWS\system32\spoolsvc.exe Infected: Backdoor.Win32.PoeBot.d
C:\WINDOWS\system32\spoolv.sys Infected: Rootkit.Win32.Agent.ab

Scan process completed.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Launch KillBox.exe & select the following options:
  • Standard File Kill
    [*] End Explorer Shell While Killing File
    [*] Unregister DLL (If available)]
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\spoollv.exe
    C:\WINDOWS\system32\.pif
    C:\WINDOWS\system32\i
    C:\WINDOWS\system32\mmiww.exe
    C:\WINDOWS\system32\spoolsvc.exe
    C:\WINDOWS\system32\spoolv.sys
* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
Then repeat the Kaspersky scan but this time ...direct Kaspersky to scan C:\WINDOWS\system32\ folder only.
 

·
Registered
Joined
·
16 Posts
Discussion Starter #13
saying its al clean

the kil box had no problems while deleting the files that were pasted in and i ran a kaspersky scan on c:\windows\system32\ and it said it was clean and that no malware had been detected.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
I have a hunch that your CD may be infected.
Please direct Kaspersky to scan your XP CD.
 

·
Registered
Joined
·
16 Posts
Discussion Starter #15
clean as a whistle

i scaned the windows xp disc and the talktalk internet cd and they came back clean.

there are two computers on my network and ive done a kaspersky on the other one and it found 8 viruses on there i have made a HJT log if your ok to assist me a little longer, thx for all you help so far.

Logfile of HijackThis v1.99.1
Scan saved at 19:32:53, on 08/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\PopupZero\PopupZeroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\<insert name>\Desktop\apps\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopupZeroDLL.CPopupZeroDLL - {8DC238E8-E3D0-4ED9-8A4D-43E9C1C5BBA9} - C:\Program Files\PopupZero\PopupZeroDLL.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [PopupZeroNSAOL] C:\Program Files\PopupZero\PopupZeroNSAOL.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://mirror.worldwinner.com/games/v42/jigsaw/jigsaw.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://mirror.worldwinner.com/games/v49/bjattack/bjattack.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v47/blockwerx/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games/v40/freecell/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v44/sol/sol.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldwinner.com/games/v42/golfsol/golfsol.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{70A76444-9910-4CC7-9F7E-3E5F212B6517}: NameServer = 62.24.128.5 62.24.128.69
O17 - HKLM\System\CS1\Services\Tcpip\..\{70A76444-9910-4CC7-9F7E-3E5F212B6517}: NameServer = 62.24.128.5 62.24.128.69
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)

(*^^*)
Thx
 

·
Registered
Joined
·
16 Posts
Discussion Starter #16
Wait i was wrong

i ran the kaspersky scan on the first one again, and now its saying there are 4 new viruses???

i havent rebooted it or connected it to my laptop but i have connected to the internet.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Let's not do the 2nd computer till the 1st one is 100% clean.

Please post the names of the files by Kaspersky.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
I had time to look at 2nd PC's log. It has a P2P worm. Please do this fix for it.

Let's try this first..

Download and unzip BFUzip from http://computercops.biz/zx/Merijn/bfu.zip
Run the program and click the Web button as shown here:


Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/p2pnetwork.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html


Post a new HJT log after that.
 

·
Registered
Joined
·
16 Posts
Discussion Starter #20
1st pc - kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, October 08, 2005 20:06:03
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 8/10/2005
Kaspersky Anti-Virus database records: 153026
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 31870
Number of viruses found: 4
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 1391 sec

Infected Object Name - Virus Name
C:\!Submit\.pif Infected: Trojan-Downloader.BAT.Ftp.w
C:\!Submit\mmiww.exe Infected: Backdoor.Win32.PoeBot.d
C:\!Submit\spoollv.exe Infected: Backdoor.Win32.SdBot.aad
C:\!Submit\spoolsvc.exe Infected: Backdoor.Win32.PoeBot.d
C:\!Submit\spoolv.sys Infected: Rootkit.Win32.Agent.ab
C:\System Volume Information\_restore{FF5F6F08-C210-4975-9FB9-680D62FB4ACA}\RP1\A0000030.exe Infected: Backdoor.Win32.SdBot.aad
C:\System Volume Information\_restore{FF5F6F08-C210-4975-9FB9-680D62FB4ACA}\RP1\A0000031.pif Infected: Trojan-Downloader.BAT.Ftp.w
C:\System Volume Information\_restore{FF5F6F08-C210-4975-9FB9-680D62FB4ACA}\RP1\A0000032.exe Infected: Backdoor.Win32.PoeBot.d
C:\System Volume Information\_restore{FF5F6F08-C210-4975-9FB9-680D62FB4ACA}\RP1\A0000033.exe Infected: Backdoor.Win32.PoeBot.d
C:\System Volume Information\_restore{FF5F6F08-C210-4975-9FB9-680D62FB4ACA}\RP1\A0000034.sys Infected: Rootkit.Win32.Agent.ab

Scan process completed.

thx ill get on with the second one
 
1 - 20 of 28 Posts
Status
Not open for further replies.
Top