1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

'Highjack This' Log (worm problem)

Discussion in 'Virus & Other Malware Removal' started by Indy Fontana, Sep 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Indy Fontana

    Indy Fontana Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    4
    Hi,

    Here's my log,
    and thanks.

    Logfile of HijackThis v1.97.2
    Scan saved at 21:10:54, on 17/09/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\cmd32.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\Program Files\iPod\bin\iPodManager.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Norton Personal Firewall\ATRACK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Winamp3\winamp3.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\Home\LOCALS~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
    O1 - Hosts: 38.115.131.131 sk2.slsk.org
    O1 - Hosts: 38.115.131.131 www.slsk.org
    O1 - Hosts: 38.115.131.131 mail.slsk.org
    O1 - Hosts: 38.115.131.131 server.slsk.org
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
    O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Tray] F:\Games\Games.exe
    O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
    O4 - HKLM\..\Run: [RDLL] RunDll16.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
    O4 - HKLM\..\RunServices: [CMD] cmd32.exe
    O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Restart Hijack this and put a check mark against the following:

    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
    O1 - Hosts: 38.115.131.131 sk2.slsk.org
    O1 - Hosts: 38.115.131.131 www.slsk.org
    O1 - Hosts: 38.115.131.131 mail.slsk.org
    O1 - Hosts: 38.115.131.131 server.slsk.org
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
    O4 - HKLM\..\Run: [RDLL] RunDll16.exe
    O4 - HKLM\..\RunServices: [CMD] cmd32.exe
    O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe

    Click Fix Checked

    Temporarily Disable System restore

    Restart your computer

    Go to C:\WINDOWS\System32
    Find, Right click and delete cmd32.exe

    Go to Start | search | For Files and folders , do a search for RunDll16.exe, right click and delete

    Now update your Antivirus and do a full scan

    If it shows clear, reenable system restore, if not clean infected files, and rerun scan
     
  3. Indy Fontana

    Indy Fontana Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    4
    Hello again,

    I checked and deleted said files,
    I disabled system restore,
    Re-started,
    Could not find cmd32.exe in system32 folder.
    I have a cmd32 and a cmd, both of which are applications,
    I tried to delete the cmd32 file but access was denied.

    Hmmm,

    Any Ideas?

    Thanks for your time,

    Indy
     
  4. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Start in Safe Mode (F8 at start up)
    Delete the CMD32.exe, the other is a legitimate file
     
  5. Indy Fontana

    Indy Fontana Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    4
    Yeah,
    that did it.

    Thanks for the super-quick reply and faultless help.
    What a great service.

    Indy
     
  6. Mollie

    Mollie

    Joined:
    Nov 2, 2002
    Messages:
    308
    You should also change your registry as follows:

    Click "start," then "run," type in "regedit" (without quotes) and find the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon

    In the right panel, find the value "Shell," right click it, choose "modify" from the menu that appears, then change the value data to "explorer.exe" (without quotes). Click okay, then exit regedit. If "Shell" already refers to explorer.exe, there's no need to do anything to your registry.

    As a precaution, back-up your registry before making any changes.


    Mollie
     
  7. Indy Fontana

    Indy Fontana Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    4
    Checked the registry and everything seems to be in order.

    Thanks again,

    Indy
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165473

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice