Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 20 of 35 Posts

·
Registered
Joined
·
24 Posts
Discussion Starter · #1 ·
Hiya guys & gals

I'm not sure if I have come to the right area but I need some help with a big problem. the low down is that my neighbours son has brought in a virus on their machine ,I don't know which or what, then tried to get rid of it by reloading windows. Because I teach office applications such as word, excel etc, they think I can fix it for them straight away. I have a little knowledge, they have none so to speak. Someone has pointed me to your site and so I thought I would give you guys a shot.

What is happening. -
The computer hard drive has got very little on it - but it is running very very slow. I know this is processor memory not storage memory that governs the speed, but I thought you needed to know that bit of info.

The email doesn't appear to be working - it says the IMAP setting is wrong but I have checked the email account properties and they all look ok to me.

It will log onto the internet - eventually - but is exceptionally slow and will not open any pages - although the browser window opens it keeps saying 'page cannot be displayed'.

I have run adaware - but there wasn't much on it - although it did say that it could not delete 'deskadserve'.

I would appreciate any help at all and have attached their log file (well have tried to so I hope it posts ok.

many thanks

gilli

Logfile of HijackThis v1.99.0
Scan saved at 8:17:18 PM, on 1/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msnplus.exe
C:\WINDOWS\System32\efvzboesn.exe
C:\WINDOWS\System32\winmedplay.exe
C:\WINDOWS\System32\systemservices.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\smsss.exe
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tiscali.co.uk/broadband/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Msn Plug] msnplus.exe
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] efvzboesn.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\Run: [Microsoft Critical System Services] systemservices.exe
O4 - HKLM\..\Run: [Microsoft Relay Manager] aunelh.exe
O4 - HKLM\..\Run: [MsWindows Syspg] mspg32.exe
O4 - HKLM\..\Run: [start uploading] smsss.exe
O4 - HKLM\..\Run: [sysPersonalFirewall] system.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\RunServices: [Msn Plug] msnplus.exe
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] efvzboesn.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [Microsoft Critical System Services] systemservices.exe
O4 - HKLM\..\RunServices: [Microsoft Relay Manager] aunelh.exe
O4 - HKLM\..\RunServices: [MsWindows Syspg] mspg32.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] system.exe
O4 - HKLM\..\RunOnce: [Msn Plug] msnplus.exe
O4 - HKCU\..\Run: [Msn Plug] msnplus.exe
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] efvzboesn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\Run: [sysPersonalFirewall] system.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\RunOnce: [sysPersonalFirewall] system.exe
O4 - HKCU\..\RunOnce: [Msn Plug] msnplus.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C651811C-A8A3-4D20-9D71-C4FC023C2B30}: NameServer = 80.225.252.186 80.225.252.178
 

Attachments

·
Registered
Joined
·
49,014 Posts

·
Registered
Joined
·
24 Posts
Discussion Starter · #3 ·
Thanx but I have one slight problem in doing an online scan - although it seems to be able to access the internet it will not open any pages in the browser to be able to go to the sites to do an online scan.

Should I try reloading I.E.? - would this help at all do you think?
 

·
Registered
Joined
·
49,014 Posts
gilli.p said:
Thanx but I have one slight problem in doing an online scan - although it seems to be able to access the internet it will not open any pages in the browser to be able to go to the sites to do an online scan.

Should I try reloading I.E.? - would this help at all do you think?
Reloading IE will do nothing. You need to run an AV on your system.

See if you can get the AVG I mentioned by burning on to a CD at another PC.
Also get the other 2 I mentioned.
 

·
Registered
Joined
·
24 Posts
Discussion Starter · #5 ·
Sorry about this, but once I have installed and run the adaware, spybot and AVG programmes, what do I do with the stuff they find? Do I just delete whatever it throws up? or are they likely to find files that are not viruses etc?
 

·
Registered
Joined
·
24 Posts
Discussion Starter · #7 ·
Right

Downloaded and ran the new Adaware and got rid of the critical objects - although there wasn't that many.

Downloaded and ran Spybot that came up with "Spybot scan found: DSO Exploit - and there were 5 Registry entries under DSO Exploit header. Do I immunise or Recover?

Downloaded and ran AVG - it found 8
Trojan Horse IRC\BackDoor.SdBot.69AA
Trojan Horse EXPLOIT.MS04.028.Downloader
Four of - Trojan Horse IRC/Bd.SdBot.89Y
Two of - Trojan Horse IRC/Bd.SdBot.90.AT

I let it do its business and they are now stored in the Virus Vault in AVG.

*******************
While AVG was running Spybot kept coming up with popups saying that "Spybot Search & Destroy has found registry entries that have change"
These were:

Category: - System Startup Gloabal Entry
Change: - Value added
Entry: - Kalvsys
New Data: c:\windows\system32\kalvtro32.exe

Category: - System Startup Global Entry
Change: - Value Deleted
Entry: - adiras
Old Data: - adiras.exe

Category: - System Startup Global Entry
Change: - Value Deleted
Entry: - User fault check
Old Data: - %systemroot%\system32\dumprep 0 -u

Category: - System Startup Gloabal Entry
Change: - Value added
Entry: - Windows Media Player
New Data: - msams.exe

I didn't know if I should accept changes or not so I thought I would ask first.

******************

This is the new log file after doing the above scans etc:

Logfile of HijackThis v1.99.0
Scan saved at 6:15:47 PM, on 1/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msnplus.exe
C:\WINDOWS\System32\winmedplay.exe
C:\WINDOWS\System32\systemservices.exe
C:\WINDOWS\System32\aunelh.exe
C:\WINDOWS\System32\smsss.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\msams.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tiscali.co.uk/broadband/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Msn Plug] msnplus.exe
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] efvzboesn.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\Run: [Microsoft Critical System Services] systemservices.exe
O4 - HKLM\..\Run: [Microsoft Relay Manager] aunelh.exe
O4 - HKLM\..\Run: [MsWindows Syspg] mspg32.exe
O4 - HKLM\..\Run: [start uploading] smsss.exe
O4 - HKLM\..\Run: [sysPersonalFirewall] system.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtro32.exe
O4 - HKLM\..\Run: [Windows Media Player] msams.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [Msn Plug] msnplus.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [Microsoft Critical System Services] systemservices.exe
O4 - HKLM\..\RunServices: [Microsoft Relay Manager] aunelh.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] system.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msams.exe
O4 - HKLM\..\RunOnce: [Msn Plug] msnplus.exe
O4 - HKCU\..\Run: [Msn Plug] msnplus.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\Run: [sysPersonalFirewall] system.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] efvzboesn.exe
O4 - HKCU\..\Run: [Windows Media Player] msams.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\RunOnce: [Msn Plug] msnplus.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105553320544
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Also - while I was over there I thought I would delete some of their temporary internet files - instead of Rebooting to change user I tried to switch user and the system re-booted itself.

Logged onto the internet to try and get to the Winupdate site and it shut the system down with an error message saying Winupdate error Isass.exe code 1073741819

any ideas?
 

·
Registered
Joined
·
24 Posts
Discussion Starter · #9 ·
Re original thread - sorry I couldnt post reply sooner - have to wait until they were home from work before I could go across and do the next bit.

I have run AVG again after installing the DSO fix and this is the resulting log file:
Is this ok or does it still need some work?

Spybot kept popping up with 3 that it could not remove:
+ DyFuCa.Internet Optimizer
+ ISTbar.slotch
+ Powerscan

Logfile of HijackThis v1.99.0
Scan saved at 7:48:11 PM, on 1/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msnplus.exe
C:\WINDOWS\System32\systemservices.exe
C:\WINDOWS\System32\aunelh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\msams.exe
C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\DeskAd Service\DeskAdKeep.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tiscali.co.uk/broadband/
O4 - HKLM\..\Run: [Msn Plug] msnplus.exe
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] efvzboesn.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\Run: [Microsoft Critical System Services] systemservices.exe
O4 - HKLM\..\Run: [Microsoft Relay Manager] aunelh.exe
O4 - HKLM\..\Run: [MsWindows Syspg] mspg32.exe
O4 - HKLM\..\Run: [start uploading] smsss.exe
O4 - HKLM\..\Run: [sysPersonalFirewall] system.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Media Player] msams.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtro32.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\RunServices: [Msn Plug] msnplus.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [Microsoft Critical System Services] systemservices.exe
O4 - HKLM\..\RunServices: [Microsoft Relay Manager] aunelh.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] system.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msams.exe
O4 - HKLM\..\RunOnce: [Msn Plug] msnplus.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Msn Plug] msnplus.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\Run: [sysPersonalFirewall] system.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] efvzboesn.exe
O4 - HKCU\..\Run: [Windows Media Player] msams.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\RunOnce: [Msn Plug] msnplus.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105553320544
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
 

·
Registered
Joined
·
24 Posts
Discussion Starter · #10 ·
Thanx for all your help so far guys, and for being so patient with me. Could someone have a look at the log on my last post and see if it is ok now. And can anyone tell me about the lsass or Isass message I got when trying to do windows update: I am a bit concerned about the lsass/Isass error message that came up as I thought this might be another virus.

Thanx again

Gilli
 

·
Registered
Joined
·
49,014 Posts
Print this out – Boot into safe mode

Fix these entries

O4 - HKLM\..\Run: [Msn Plug] msnplus.exe
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] efvzboesn.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\Run: [Microsoft Critical System Services] systemservices.exe
O4 - HKLM\..\Run: [Microsoft Relay Manager] aunelh.exe
O4 - HKLM\..\Run: [MsWindows Syspg] mspg32.exe
O4 - HKLM\..\Run: [start uploading] smsss.exe
O4 - HKLM\..\Run: [sysPersonalFirewall] system.exe
O4 - HKLM\..\Run: [Windows Media Player] msams.exe

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtro32.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\RunServices: [Msn Plug] msnplus.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [Microsoft Critical System Services] systemservices.exe
O4 - HKLM\..\RunServices: [Microsoft Relay Manager] aunelh.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] system.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msams.exe
O4 - HKLM\..\RunOnce: [Msn Plug] msnplus.exe
O4 - HKCU\..\Run: [Msn Plug] msnplus.exe
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\Run: [sysPersonalFirewall] system.exe
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] efvzboesn.exe
O4 - HKCU\..\Run: [Windows Media Player] msams.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\RunOnce: [Msn Plug] msnplus.exe

Add/remove programs – remove DeskAd Service if there

Delete – Be very carful of the spelling as this are spoofs

C:\WINDOWS\System32\msnplus.exe
C:\WINDOWS\System32\systemservices.exe
C:\WINDOWS\System32\aunelh.exe
C:\WINDOWS\System32\msams.exe
C:\Program Files\DeskAd Service ç==========FOLDER
C:\Program Files\Messenger\msmsgs.exe

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin

Boot and post a new log
 

·
Registered
Joined
·
24 Posts
Discussion Starter · #12 ·
Did what you suggested but........... I am a little concerned that you told me to fix the firewall as in
O4 - HKLM\..\Run: [sysPersonalFirewall] system.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] system.exe
O4 - HKCU\..\Run: [sysPersonalFirewall] system.exe

Will this not get rid of the firewall and allow hackers into the computer?

This is the new log file

Logfile of HijackThis v1.99.0
Scan saved at 7:49:25 PM, on 1/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tiscali.co.uk/broadband/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105553320544
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
 

·
Registered
Joined
·
24 Posts
Discussion Starter · #14 ·
Right

so they were viruses or whatever disguising themselves as proper files - crafty!

Err - how is it?

It seemed a little better but then again I only rebooted and ran hijack this to get the log file, then came away. Until you told me to do anything else with it I told them to keep off it until now.

So is it ok for them to use as normal now?
 

·
Registered
Joined
·
24 Posts
Discussion Starter · #16 ·
Great stuff

I have been across this morning and it is working ok, but Spybot keeps finding things it can't remove

DyFuCa.Internet Options
ISTbar.slotch
Powerscan

it says it can't fix them because they are in use elsewhere - (in the memory).
do you think this might be under one of the other users? Are these baddies and if so how can I find and zap them?
 

·
Registered
Joined
·
24 Posts
Discussion Starter · #18 ·
Right

Turned the restore point off and then back on the result is

AVG kept coming up with -
Trojan horse IRC/BackDoor.SdBot.109.AR

Spybot still could not fix
DyFuCa.Internet Options
ISTbar.slotch
Powerscan

Adaware could not remove
C:\Program files\Admanager Controller\Admanctl.exe

now getting popup messengers from Messenger Service saying that it has detected spyware and to go to www.errorfixer.com

I also ran the virus software through the other users and it came up with varying results - but basically the same as the above.

however - I now have 2 log files for youto look at - the first, is the one you have seen and been fixing thus far.
the second is from another user on her computer.

i thought that the log file was for the entire machine and would not differentiate between users but these are definitely different.
gfile of HijackThis v1.99.0
Scan saved at 6:38:51 PM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spoolvse.exe
C:\WINDOWS\System32\regrun32z.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Admanager Controller\AdManKeep.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tiscali.co.uk/broadband/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [Window Registry Config1] regrun32z.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Window Registry Config1] regrun32z.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105553320544
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C651811C-A8A3-4D20-9D71-C4FC023C2B30}: NameServer = 80.225.252.186 80.225.252.178
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
 

·
Registered
Joined
·
49,014 Posts
First edit your post and remove the second log – Post it in its own thread saying whats happening and what tools it has

Print this out and boot to same mode

Fix these

O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe

O4 - HKLM\..\Run: [start extracting] spoolvse.exe

O4 - HKLM\..\Run: [Window Registry Config1] regrun32z.exe

O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe

O4 - HKLM\..\RunServices: [Window Registry Config1] regrun32z.exe

O4 - HKCU\..\Run: [start extracting] spoolvse.exe

O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files - Pay close attention to the spelling

C:\WINDOWS\System32\spoolvse.exe
C:\WINDOWS\System32\regrun32z.exe

Delete this folder

C:\Program Files\Admanager Controller

Empty the recycle bin

Boot and post a new log
 

·
Registered
Joined
·
24 Posts
Discussion Starter · #20 ·
Another log found under one of the users on a pc that is different to the main log

can someone have a look and tell me what is wrong with it please.

Avg keeps finding Trojan horse IRC\BackDoor.SdBot.109.AR

Spybot finds but cannot destroy
DyFuCa.Internet Options
Powerscan

Adaware could not remove
c:\Programfiles\Admanager Controller\Admanctl.exe

would appreciate any help you guys can give me

here is the hijackthis log

gfile of HijackThis v1.99.0
Scan saved at 7:09:15 PM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spoolvse.exe
C:\WINDOWS\System32\regrun32z.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Admanager Controller\AdManKeep.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tiscali.co.uk/broadband/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiscali.co.uk/broadband/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [Window Registry Config1] regrun32z.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Window Registry Config1] regrun32z.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Msn Plug] msnplus.exe
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] efvzboesn.exe
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [sysPersonalFirewall] system.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105553320544
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C651811C-A8A3-4D20-9D71-C4FC023C2B30}: NameServer = 80.225.252.186 80.225.252.178
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
 
1 - 20 of 35 Posts
Status
Not open for further replies.
Top