1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HLP, Dads Comp = Virus/Trojans/Errors needs HLP!

Discussion in 'Virus & Other Malware Removal' started by MaSta-Adam, Jan 5, 2004.

Mark Solved
Thread Status:
Not open for further replies.
Advertisement
  1. MaSta-Adam

    MaSta-Adam Guest Thread Starter

    These are some viruses I found. I ran Stinger and got rid of another Virus my SystemSuite Ontrack 4.0 didnt find.

    Found virus
    In File: C:\System Volume Information\_restore7AE9EE7D-3397-44D4-8272-52A24A5496B9\RP52\A0005295.dll
    Name: TROJ_BOOKMARK.A
    Requested action: Remove virus.
    Results: Failed. Removal attempt failed. File still infected. See recommendation below.

    Found virus
    In File: C:\System Volume Information\_restore7AE9EE7D-3397-44D4-8272-52A24A5496B9\RP6\A0001839.exe
    Name: WORM_MSBLAST.A
    Requested action: Automatically attempt to remove virus from infected file.
    Result: Failed. Removal attempt failed. File still infected. See recommendation below.

    Found virus
    In File: C:\WINDOWS\system32\svcpack.exe
    Name: BKDR_ITERATOR.A
    Requested action: Automatically attempt to remove virus from infected file.
    Result: Failed. Removal attempt failed. File still infected. See recommendation below.

    Files not scanned:
    C:\hiberfil.sys
    C:\pagefile.sys

    5141 Executables scanned
    21 Macros scanned
    4 Files inside archives scanned
    2 Files that could not be scanned (files in use, encrypted archives, etc.)
    5166 Total files scanned

    -=HiJaCkThIs LOG=-

    Logfile of HijackThis v1.97.7
    Scan saved at 4:16:08 PM, on 1/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
    C:\PROGRA~1\Ontrack\SYSTEM~1\mxtask.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\WINDOWS\slrundll.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
    O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Broken Internet access because of LSP provider 'wps.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://66.117.38.54:80/iex/ofile.exe?xdat=&url=http://66.117.38.54:80/static/dialexe14.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5025A743-5618-4A6F-8C02-28B6E78E253C}: NameServer = 209.244.0.3 209.244.0.4


    PLZ HELP!
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    first
    run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://66.117.38.54:80/iex/ofile.ex...c/dialexe14.exe
    then reboot &
    turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
    That will purge the restore folder and clear any malware that has been put in there.

    now

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    then reboot again
    then
    Download & Run CWshredder from http://www.merijn.org/cwschronicles.html
    Close all browser windows,UnZip the file, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected
    the patches are :
    http://support.microsoft.com/default.aspx?kbid=828026
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp


    then reboot &
    Download Spybot - Search & Destroy from http://security.kolla.de

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &
    download AdAware 6
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    the current ref file should read 01R245 03.01.2004

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left

    when and only when you are given the all clear then re enable system restore
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    To fix this:

    O10 - Broken Internet access because of LSP provider 'wps.dll' missing

    ownload LSPfix here: http://www.cexx.org/lspfix.htm

    Launch the application, and click the "I know what I'm doing" checkbox. (DON'T DO ANYTHING ELSE!)

    Click Finish
     
  4. MaSta-Adam

    MaSta-Adam Guest Thread Starter

    THNX i thought that dialer looked Suspicious and that LSP thing I was wondering wat that was all about.
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Also I'm not sure what this file is
    C:\WINDOWS\slrundll.exe

    It might be a virus/trojan , but I can't see any start up entry, I've only seen it mentioned in a couple of posts and no-one yet has got a response as to what it is.

    Please find that file, right click it & see what it says in properties

    then send a copy to me [email protected]
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
  7. MaSta-Adam

    MaSta-Adam Guest Thread Starter

    After I did what you guys said My dad tried to get on the internet with MSN 8.0 and he couldnt. The FireWall on "ontrack SystemSuite4.0" wouldnt let him through and on the application list MSN and IE6.0 are allowed which IE6.0 wont go through either. We have to disable the firewall or let it allow all. Any pointers or tips thnx guyz...
     
  8. MaSta-Adam

    MaSta-Adam Guest Thread Starter

    slrundll.exe

    Type of File: Application
    Description: slrundll
    Location: C:\windows
    Size: 24.0KB
    Size on disk: 24.0KB
    Created: Thursday, November 21, 2002, 4:53:16 PM
    Modified: Thursday, November 21, 2002, 4:53:16 PM
    Accessed: Today, January 05, 2004, 10:43:13 PM

    I think that has to do with the modem. My dad uses 56K and he has a Smartlink 56K modem.
     
  9. Biting_Moose

    Biting_Moose

    Joined:
    Jan 4, 2004
    Messages:
    14
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/192688

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice