Another virus :(

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ipatriot

Thread Starter
Joined
Feb 26, 2003
Messages
333
Hi guys,

Im havin some real problems with a virus, which i cant get rid off. Ive tryed many things and all the online scans and still even after it deletes them they come back. Ive done NAV but that finds spyware and says cant delete.

I know i hav spyware in my system, but thats not a real problem i could get rid of that but , its the virus which wount go. It runs files like dllman.exe ,winmedplay.exe,winexec32.exe,cmd.exe and ftp.exe. Any ideas what this virus is called?

Any ideas would even be great. Thanks ipatriot


--------- hijack log--------

Logfile of HijackThis v1.98.2
Scan saved at 14:08:04, on 30/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dllman.exe
C:\WINDOWS\System32\winmedplay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\winexec32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\AUTOSAVE.exe
C:\Program Files\Windows AdStatus\WinStat.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\SahAgent.exe
G:\Program Files\mIRC\mirc.exe
c:\temp\salm.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\temp\CXTPLS~1.EXE
C:\WINDOWS\System32\dxdur.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\extearts.exe
G:\Server\Apps\hmm.exe
C:\Program Files\CxtPls\CxtPls.exe

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft NT Update] winexec32.exe
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\temp\CXTPLS~1.EXE" /PC=CP.CDT3 /ShowLegalNote=nonbranded /ForSupportedBrowsers
O4 - HKLM\..\Run: [ytcv] C:\WINDOWS\ytcv.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [33rU3pU] extearts.exe
O4 - HKLM\..\RunServices: [Microsoft NT Update] winexec32.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft NT Update] winexec32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [I008RfY9g] dxdur.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge-c11.cab
 
Joined
Jan 2, 2003
Messages
236
Go
Here
and Get Trojan-Hunter Fully working trial!
,,,,,,,,,,,,,,,,,,,,,

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.
,,,,,,,,,,,,,,,,,,,,,,,,,,
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.

CWShredder available from these places :-


http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from :-
HERE
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First use Spybot S&D. (Version 1.3)
Spybot
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Reboot

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware


Please do this.as you version of hijackthis is outdated ,get latest version and delete the old one .
Download 'Hijack This!'. http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. Since Temporary folders are emptied now and then (the files are DELETED), it would not be a good idea to have your backups there. Those backups would be VITAL to restoring your system if something went wrong in the FIX process!


1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.

3. Close ALL windows except HJT

4. SCAN with HJT

5. POST the new log in this thread using 'Add Reply'

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO YOUR COMPUTER'S HEALTH


Then post a HJT log as a reply to this topic.
 

ipatriot

Thread Starter
Joined
Feb 26, 2003
Messages
333
Hi, did what u said above and hijiack log below:

Logfile of HijackThis v1.99.0
Scan saved at 18:37:17, on 31/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\crsss.exe
C:\Program Files\Comedy-Planet\comedy-planet.exe
C:\WINDOWS\System32\fdetapi.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\fasbaln.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\hj\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Windows media service] crsss.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir /PC= CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [Comedy-Planet] C:\Program Files\Comedy-Planet\comedy-planet.exe
O4 - HKLM\..\Run: [5FrX35R] fdetapi.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunServices: [Windows media service] crsss.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows media service] crsss.exe
O4 - HKCU\..\Run: [Ko07RRdnP] fasbaln.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks
 
Joined
Jan 2, 2003
Messages
236
Hi do ALT+CTRL+DEL
And process and end these processes
C:\WINDOWS\System32\crsss.exe, !!!note the different spelling this one is not the good CSRRSS
C:\Program Files\Comedy-Planet\comedy-planet.exe
C:\WINDOWS\System32\fdetapi.exe
C:\WINDOWS\System32\fasbaln.exe
C:\Program Files\CxtPls\CxtPls.exe

Go to control panel and add remove programs and uninstall these if found .
CxtPls
AutoUpdate
Comedy-Planet

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
You might want to print out or copy & paste to notePad , these instructions as you will need to close this browser window to fix with hijackthis !

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing)

O4 - HKLM\..\Run: [Windows media service] crsss.exe

O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir /PC= CP.AMS /ShowLegalNote=nonbranded

O4 - HKLM\..\Run: [Comedy-Planet] C:\Program Files\Comedy-Planet\comedy-planet.exe

O4 - HKLM\..\Run: [5FrX35R] fdetapi.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe

O4 - HKLM\..\RunServices: [Windows media service] crsss.exe

O4 - HKCU\..\Run: [Windows media service] crsss.exe

O4 - HKCU\..\Run: [Ko07RRdnP] fasbaln.exe

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx


Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\System32\crsss.exe,,,,delete file Careful deleting this one note the different spelling from the good csrss
,
C:\WINDOWS\cxtpls_loader.exe" ,,,,delete file

C:\Program Files\Comedy-Planet\,,,,,,deleted folder

C:\WINDOWS\System32\fdetapi.exe,,,,delete file

C:\Program Files\AutoUpdate,,,,,delete folder

C:\WINDOWS\System32\fasbaln.exe,,,,delete file


to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log
 
Joined
Jan 2, 2003
Messages
236
you know i just looked at the 2 logs and find it hard to believe that they are from the same computer !! they are so different
 

ipatriot

Thread Starter
Joined
Feb 26, 2003
Messages
333
ok thanks , will giv deleting them ago as soon i get back. I would like to get NAV 2005 but do not have the money at the moment, but maybe getting it will be worth it in the long run. "you know i just looked at the 2 logs and find it hard to believe that they are from the same computer !!" -> is this a good thing ??

Thanks ill post back to say how i get on. ipatriot
 
Joined
Jan 2, 2003
Messages
236
ipatriot said:
ok thanks , will giv deleting them ago as soon i get back. I would like to get NAV 2005 but do not have the money at the moment, but maybe getting it will be worth it in the long run. "you know i just looked at the 2 logs and find it hard to believe that they are from the same computer !!" -> is this a good thing ??

Thanks ill post back to say how i get on. ipatriot
Good or bad i'm not sure ! except for running the scans and programs i suggested after the first post ,what did you do before the second scan with hijackthis ,go to every bad site on the net to see what you could catch or did you maybe do a system restore or something .!LOL
 

ipatriot

Thread Starter
Joined
Feb 26, 2003
Messages
333
Thanks ive done what u said but only found 1 of the files when i went into safe mode but deleted that one. The system seems to be runnng ok at the moment, though i read somewhere that ftp.exe can be run though cmd.exe, so maybe this was how the spywaer was comming , cuz at one point i was deleting at the same rate it was comming in.!

If this does fail, do u think formating the harddrive from NTFS to fat32 then formating it back again to NTFS would work, as ive already formated it twice and it stayed on it!.... though hopefully this will work,( fingers crossed)


Thanks for your help,

ipatriot (y)
 

ipatriot

Thread Starter
Joined
Feb 26, 2003
Messages
333
I think ill giv that ago ,cuz ftp.exe and cmd.exe has come back. Thanks for your help.
 
Joined
Jan 2, 2003
Messages
236
ipatriot said:
I think ill giv that ago ,cuz ftp.exe and cmd.exe has come back. Thanks for your help.
Cerently is the quickest fix . I do it for a lot of locals it cheaper for them and saves me a lot of time running removal tools .
Some tools to use to protect you computer after you reinstall .

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  1. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  2. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
    Antivirus
  3. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    FIREWALL

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  4. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  5. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  6. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top